Forget moving to Canada or what Brexit will do to your passport. Seventeen months from now, everyone will be a European, at least as far as data protection is concerned. If you ship, sell or in any way try to convince a European to buy your products or services, then the General Data Protection Regulation (GDPR) needs to be at the top of your compliance agenda.
The Irish Data Protection Commissioner, who regulates the European operations of companies like Amazon and Microsoft, has said, “it is essential that all organizations immediately start preparing for the implementation of GDPR.” The risks of doing nothing are severe; a fine of up to €20m, or 4 percent of annual turnover, whichever is greater.
The rules are clear. Any company based in the EU, or any company marketing products or services to EU citizens – for example, by hosting websites in European languages or offering prices in Euros, will need to comply.
Forget protectionist fantasies of keeping jobs at home, GDPR itself is a job creator. Up to 75,000 data protection officers may be needed to ensure compliance with the new law, a massive jump in the estimated 28,000 new DPOs forecast earlier this year. The U.S. alone will have to hire 10,000, and even smaller countries like Switzerland will need to employ more than 3,500 DPOs.
Regardless of whether the U.K. leaves the EU or the single market, GDPR will apply in Britain. A bigger issue that will define the data relationship between the U.K. and Europe is if British law will offer enough ‘equivalency’ to EU data protection laws to stop the act of sending a file in or out of the U.K., a potential breach of EU law once the U.K. is out and systems start to diverge.
Some companies have already started moving their data centers outside of the U.K. in response to fears that Brexit will create a British black hole within European privacy law. Email encryption provider Echoworx has moved its operations to Dublin in order to create jurisdictional security no matter what kind of Brexit will occur.
Moving operations abroad may be a drastic step, but whether or not a business decides it needs to make a new hire or fold GDPR responsibilities into existing compliance structures matters less compared with ensuring staff are trained on what the changes will mean to how they do their jobs.
Something as simple as conducting a basic criminal background check of a new employee will be banned unless there is a specific legal justification for doing so.
Every person approached for marketing purposes will have to have given explicit consent for being contacted in that way and can withdraw their consent at any time.
Even the forgotten bits of data collected from passing mobile devices trying to connect to the company WiFi might be classed as personal data if further action to anonymize it is not taken.
The question that companies need to consider is not if their Data Protection Officers are up to speed, but is every other part of the business, in particular the HR, marketing and IT departments, ready to become European?