Clearly there is a lot of political fallout over Great Britain’s recent vote to exit the EU – for days after the vote it dominated the news cycles. We all heard both the fear and support of the decision by the British people. We heard about immigration, defense, monetary policy and regulatory authority. And those are certainly all things citizens need to understand and debate, governments need to discern and minimize the fall out of what looks to be a very expensive divorce settlement for all involved.
But we’re an ethics company, and although interested in the political ramifications (it’s impossible after all to grow up and live in Washington DC without being a political junkie!), I came back to “what does this mean for my clients?” and “how do I counsel their ethics and compliance reporting strategies in light of Brexit?”
Especially for many American firms, the phrase GDPR means very little. That’s OK, because until Brexit it shouldn’t have. As a bit of background, the General Data Protection Regulation (“GDPR”) is a new law that covers marketing data and was introduced in all EU countries on May 26, 2016 and becomes enforced in May 2018. Key point being “all EU countries.” Hmmmmmm……… so via Brexit, Great Britain will no longer be an EU country so, hey, wait a minute, as a GRC professional now I have to understand global politics and the fate of the EU too?
Well, yes, you do. So some more history. The current body of governing law in Great Britain related to data privacy is called the DPA or Data Protection Act, and it came into being in 1998. Yes, pre facebook, twitter, Youtube, Instagram, Pinterest, and the list goes on. The regulations are long out dated and were set to be replaced by the GDPR. Now with Great Britain leaving the EU, and the updated regulations around data privacy it is back to the future when social media was a chat room in AOL. Ouch. Did I really just say a chatroom in AOL?
Great Britain will need a new DPA and that makes perfect sense and it will need to closely follow GDPR. Clearly the UK will want to continue trading with the EU post-Brexit, and in order to do that, they must have data laws that are as stringent as those in the rest of Europe. The GDPR applies to any nation that wants to sell to EU citizens – including USA, India, Australia… and now the UK.
This changes a lot of GRC dynamics – potentially even down to where are the servers located that control the data used in supporting GRC solutions like incident and case management in Europe
So here are points that you should consider including prominently in your incident and case management plans in the wake of Brexit, the implementation of the GDPR, and your global GRC strategy:
Be secure. The origin of the GDPR was data security and the prevention of hacking and data loss (duh…it’s in the title of the regulation). It’s the data protection regulation not the data marketing regulation. For GRC professionals this means a review of how and where you store personal information for example, the security of your website for another.
Risk Analytics. Times of change and uncertainty should be faced with a risk stratification matrix. Sounds easy, but not so much. First and foremost, focus on line of sight issues across all areas of the business so you can align resources accordingly, or as the cliché goes “try to swing the axe one time and fell two trees.”
Inform yourself. Although laws and regulations are all too often things left to the general counsel, in this case, we need to get informed and pay attention. Talk with your IT folks because the responsibility for data does not rest solely with the GRC team, but the fallout from a breach or bad press from a GDPR violation sure does. And watch what the UK does to replace and update the DPA.
UPDATE // April 10, 2018
The past 18 months since first blogging on this have past in the wink of an eye and we are now in the final month prior to GDPR taking effect. Although for many of you the concerns are still the same, there has been some progress in some of the points I made. The biggest being in the UK discussion. On that front, despite the UK triggering Article 50 of the Lisbon Treaty (this is actually what they did and is commonly called “Brexit”), the timing of the completion of their negotiations to leave the union are not complete and when May 25 rolls around next month and GDPR takes effect, the UK will technically still be a member state. In addition the second reading of their new DPB (“Data Protection Bill”) is currently in the House of Lords. The DPB is the UK’s answer to the GDPR and will effectively update their standards to a 21st century model and supplant those 1998 standards I wrote about in the initial blog. There are some differences that you should explore, especially if your company has locations in the UK as well as other EU member states – the biggest maybe being the appointment of a controller is in GDPR but not DPB. We believe it is still advisable to have this role for UK companies even though it is not required, but this is one of those areas you should discuss with counsel. There are other differences that deal with the age of children who can give consent regarding data privacy.
Still even with experts, there is some uncertainty with what will really happen when Brexit occurs. There’s still a way to go on this deal and not a lot of time to do. We’ll do our best to stay informed and help our clients navigate this, but our strongest advice is to have a task force with counsel that focusses in this area to guide you through these coming months. Until then, we’ll keep tossing out questions you might want to ask!
J Rollins is the co-founder and CEO of ETHIX360. At ETHIX360, our goal is simple, to provide an affordable, flexible and comprehensive answer to employee communication and case management on issues related to corporate ethics, code of conduct, fraud, bribery and workplace violence. To learn more about ETHIX360, please visit www.ethix360.com, or follow us on twitter @ethix360.