What Does Britain's EU Exit Mean for Your Company's Global Compliance Strategy?

There is a lot of political fallout over Great Britain’s recent vote to exit the EU. It dominated the news cycles for days after the vote. We all heard both the fear and support of the decision by the British people. We heard about immigration, defense, monetary policy, and regulatory authority. Those are certainly all things citizens need to understand and debate. Governments need to discern and minimize the fallout of what looks to be a costly divorce settlement for all involved.

But we’re an ethics company, and although interested in the political ramifications (it’s impossible, after all, to grow up and live in Washington DC without being a political junkie!), I came back to “what does this mean for my clients?” and “how do I counsel their global compliance strategy in light of Brexit?”

GDPR and DPA basics

Especially for many American firms, the phrase GDPR means very little. That’s okay because, until Brexit, it shouldn’t have. As a bit of background, the General Data Protection Regulation (“GDPR”) is a new law that covers marketing data and was introduced in all EU countries on May 26, 2016, and becomes enforced in May 2018. The critical point is “all EU countries.”  Hmmmmmm……… via Brexit, Great Britain will no longer be an EU country. So, hey, wait a minute, as a GRC professional, I have to understand global politics and the fate of the EU too?

Well, yes, you do. So some more history. The current body of governing law in Great Britain related to data privacy is called the DPA or Data Protection Act, and it came into being in 1998. Yes, pre-Facebook, Twitter, Youtube, Instagram, Pinterest, and so on. The regulations are long outdated and were set to be replaced by the GDPR. So with Great Britain leaving the EU and the updated rules around data privacy, it is back to the future when social media was a chat room in AOL. Ouch. Did I really just say a chatroom in AOL?

Next Steps for the UK

Great Britain will need a new DPA, and that makes perfect sense. It will need to follow GDPR closely. The UK will want to continue trading with the EU post-Brexit, and to do that, they must have data laws that are as stringent as those in the rest of Europe. The GDPR applies to any nation that wants to sell to EU citizens – including the USA, India, Australia… and now the UK.

This changes a lot of GRC dynamics – potentially even down to where the servers are located that control the data used in supporting GRC solutions like incident and case management in Europe.

Here are three points that you should consider including prominently in your incident and case management plans in the wake of Brexit, the implementation of the GDPR, and your global compliance strategy:

1. Be Secure

   The origin of the GDPR was data security and the prevention of hacking and data loss (duh…it’s in the title of the regulation). So it’s the data protection regulation, not the data marketing regulation. For GRC professionals, this means reviewing how and where you store personal information, for example, the security of your website for another.

2. Risk Analytics

   Times of change and uncertainty should be faced with a risk stratification matrix. Sounds easy, but not so much. First and foremost, focus on line-of-sight issues across all areas of the business so you can align resources accordingly, or as the cliché goes, “try to swing the axe one time and fell two trees.”  

3. Inform Yourself

   Although laws and regulations are often left to the general counsel, we need to get informed and pay attention in this case. Talk with your IT folks because the responsibility for data does not rest solely with the GRC team, but the fallout from a breach or bad press from a GDPR violation sure does. And watch what the UK does to replace and update the DPA.

UPDATE // April 10, 2018

The past 18 months since first blogging on this have passed in the wink of an eye and we are now in the final month prior to GDPR taking effect.  Although for many of you the concerns are still the same, there has been some progress in some of the points I made.  The biggest being in the UK discussion. 

Despite the UK triggering Article 50 of the Lisbon Treaty (this is actually what they did and is commonly called “Brexit”), the timing of the completion of their negotiations to leave the union is not complete. When May 25 rolls around next month and GDPR takes effect, the UK will technically still be a member state. 

In addition, the second reading of their new DPB (“Data Protection Bill”) is currently in the House of Lords.  The DPB is the UK’s answer to the GDPR and will effectively update its standards to a 21st-century model and supplant those 1998 standards I wrote about in the initial blog.  

There are some differences that you should explore, especially if your company has locations in the UK as well as other EU member states – the biggest maybe being the appointment of a controller is in GDPR but not DPB.  We believe it is still advisable to have this role for UK companies even though it is not required, but this is one of those areas you should discuss with counsel.  There are other differences that deal with the age of children who can give consent regarding data privacy.

Even with experts, there is some uncertainty about what will really happen when Brexit occurs.  There’s still a way to go on this deal and not a lot of time to do it.  We’ll do our best to stay informed and help our clients navigate this, but our strongest advice is to have a task force with counsel that focuses on this area to guide you through these coming months.  Until then, we’ll keep tossing out questions you might want to ask! 

The ETHIX360 blog brings you weekly updates on all things human resources and compliance.

MEET THE AUTHOR

J Rollins is the co-founder and CEO of ETHIX360. J is a well known leader and innovator who has served on senior leadership teams ranging in responsibility from Chief Revenue Officer, Chief Marketing Officer, SVP of Product Strategy and Chief Operating Officer.

ABOUT ETHIX360

RELATED BLOGS