Greetings from Brussels!
Interestingly, the Queen's speech tackled the subject of data protection this week. Addressing both houses of the U.K. Parliament, the Queen said the nation will retain its "world-class" data protection regime by confirming it will implement the General Data Protection Regulation. A host of proposed new laws designed to prepare the U.K. for a "smooth and orderly" departure from the EU was also announced in the royal speech. Of 27 bills, eight relate to Brexit and its impact on immigration, trade and sectors, such as fisheries and farming.
In a document further detailing its plans, the U.K. government said its key priorities for data protection were ensuring data protection rules were "suitable for the digital age," empowering individuals to have more control over their personal data. An additional priority is modernizing data processing procedures for law enforcement agencies. By extension, an emphasis will also be placed on allowing police and the authorities to "continue to exchange information quickly and easily with international partners to fight terrorism and other serious crimes."
Reactions from industry have been positive. As highlighted in recent articles and press, there has been much uncertainty surrounding businesses' preparedness. This announced intended update to the Data Protection Act is the news, and perhaps the tonic, that many companies have been waiting for. This certainly should help to accelerate and incentivize GDPR program implementation for U.K. business.
Only this week, recent research carried out by Webroot indicates that U.K. small- to medium-sized businesses misunderstand the impact of Brexit on compliance with the GDPR. It was found that SMBs were unsure if they would have to adhere to GDPR regulation after Brexit, despite the need to be compliant if data of European citizens is held by the organization. Perhaps alarmingly, despite needing to become compliant to continue day-to-day operations, nearly half of U.K. SMBs (49 percent) stated they were not confident they can meet the stringent requirements for compliance.
You have to think that a significant percentage of these organizations may as well be vendors and suppliers to larger organizations that are putting GDPR at the heart of their processing operations; those larger organizations are looking at their end-to-end processing in a bid to ensure data integrity through their supply chains. In addition to their confusion about GDPR compliance, 51 percent of all SMB survey respondents believe their business is not at risk of cyberattack, indicating a dangerous misperception about the threat landscape and the need for appropriate security measures. These misunderstandings seem also reflected by the fact that nearly three-quarters of the firms have not allocated budget or resources required to meet GDPR compliance.
I expect, as in other countries, we will start to see a greater uptake in preparation across the SMB sectors in the U.K. in the run-up to May 2018. At the IAPP, we are certainly seeing increased activity and substantial growth across the board in demand for our services and support. We will also be working in partnership with the Confederation of British Industry in the coming months to bring some practical workshops to CBI members in different regions of the U.K., with a focus on GDPR project plans and targeted advice on the key issues that need reflecting in those plans. There is still much to do, and at the IAPP, we are diligently working to ensure that we continue to support privacy functions through diverse channels.