GDPR, DPA, DPB, UKBIS – acronyms everywhere!
In the world of tech, perhaps the most influential piece of legislation is coming into effect: ‘Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC’ or its marginally snappier title ‘The General Data Protection Regulation’. This piece of law will implement fines for companies that have their data breached, and bring the power of individual data back to those whose data it is i.e. the European citizen. It also addresses however, the export of personal data outside the EU.
This means that, if you are the customer of a European company or from the US, Djibouti, even Peru, doing business with Europeans, you will be subject to that same regulation. Indeed, this is one of the challenges, as the implementation of GDPR will mean huge changes to business practice for companies that had not implemented a comparable level of privacy before the regulation entered into force, especially when it comes to non-European companies handling EU personal data.
In short, GDPR is a truly global piece of legislation which makes you wonder: why did the UK government think it necessary to launch a new Data Protection Bill? The Data Protection Act (DPA) was last updated in 1998, and the revision announced this month intends to bring it into the 21st century. However, it beggars belief that the government saw fit to devote time, money, and effort into something that will essentially do the same thing as GDPR.
The latest iteration put forward by Minister for the Department of Culture, Media and Sport (DCMS) Rt Hon Matt Hancock MP can be viewed in a few ways: Was it one last twist of the knife following the Brexit referendum? A further way to say “Hey, we aren’t beholden to you any more Brussels! Ha!”. Was it an exercise in putting the UK back to the top of the global rankings in at least something? Was it just an activity to prove the legitimacy of the current government; to be seen to be doing something? I’ll get off my soap box, as this is perhaps another discussion for another time.
Back to the regulation.
A huge proportion of the British economy is propped up by small to medium sized businesses that turn over less than £10 million per annum, and which do a lot of trade with Europe. These companies will categorically not be able to swallow the fines of GDPR if they are breached. A large company, think BAE Systems, Goldman Sachs, Unilever, will. There is a distinct lack of clarity in what the DPA amendment will actually achieve, other than mirror GDPR, and what it will mean for these smaller businesses. Once again it comes down to communication. The National Center for Cyber Security (NCSC), has been doing quite a good job at explaining the regulation, but it is down to government, specifically DCMS and UK Department for Business Innovation and Skills (BIS) to be helping these organisations become GDPR compliant at the very least. Business needs to understand this, not just comply blindly.
Which brings me to another point; when it comes to PR, we are going to have to understand this regulation for our clients. Whether B2B or B2C, telecoms or Thai restaurants, the ability to help our clients understand what GDPR means, before the ‘Worst Case Scenario’, is going to be crucial to our industry. After all, if a business loses money due to a breach, then loses more due to reputational damage, we go out of business. I think we will see a new breed of cyber-savvy PRs, not only from a communications point of view, but potentially also from a technological standpoint, and this is something I’m quite looking forward to observing.
Now where’s my Networking Textbook…