The revised General Data Protection Regulation, applicable from May 2018, sets requirements for data portability, the right to object to data held, the right to be forgotten (pleasingly termed 'erasure') and much more. In typical understatement, the European legislators said the GDPR was "intended to contribute to the accomplishment of an area of freedom, security and justice and of an economic union, to economic and social progress, to the strengthening and the convergence of the economies within the internal market, and to the well-being of natural persons".
But Brexit, though. For those hoping the UK's vote to leave the EU will steer us clear of the 150 or so pages of suffocating regulation, a few points. Given that the government is soft-pedalling when the two-year negotiation period for exiting the EU will begin - and leaving aside the question of whether the Brexit package will be put to parliament or electorate - it is highly likely we will still be in when these rules come into place, whether or not they apply 'directly'. Regardless, the Information Commissioner's Office (ICO) has said that UK rules will have to be "equivalent" to the GDPR if we want to trade with the single market on equal terms. A sense of inevitability around these rules has led legal experts to urge UK companies to prepare for the 2018 deadline either way.
A little background is in order. The rules replace the 1995 directive of the same name (which set the background for the UK's 1998 Data Protection Act). Also in 1995, two men called Larry Page and Sergey Brin met at Stanford University, which is to say that a lot has changed in the interim, from the amassing of user search data to the proliferation of social media. The most important dynamic to emerge is that between the protections on offer in Europe and the US, a story which came to a head last year at the Court of Justice of the EU.
Austrian citizen Max Schrems, a user of Facebook since 2008, had complained to the Irish data protection authorities that recent revelations regarding the US National Security Agency demonstrated that US law and practice does not sufficiently protect personal data from state surveillance. In a landmark ruling, the ECJ rejected the 'safe harbour' data sharing agreement with the US on the basis that it allowed interference from the country's public authorities with Europeans' fundamental rights. It also meant a step change for companies wanting to transfer personal information out of Europe.
The EU's line in the sand means it is worth considering the data protection policies of the companies in which you invest. Impact assessments, changes to how consent is obtained, pseudonymisation of data, new rules for information held on children; there is much to pre-occupy a company's data controller. With reason. Infringements of the GDPR could see administrative fines of €20m (£17m), or up to 2 per cent of annual turnover, whichever is higher. Data breaches such as that suffered by TalkTalk (TALK) could turn out to be even costlier: a company's data controller will have 72 hours to report a breach to the relevant supervisory authority, and be expected to communicate with the affected user "without undue delay".
If this sounds like a good business opportunity, look no further than NCC Group (NCC), which provides security assurance and testing, incident response and managed security services. Cyber security is "the most significant issue facing businesses today", its bosses said in its results last month, where they were understandably keen to iterate the ICO on equivalence. Either way, it looks like companies will need to get used to a regulatory landscape where users have 'taken back control'.
