The UK tech industry has warned ministers not to drop EU data security laws – the GDPR – as diverging from EU data protection standards after Brexit will “undermine” the UK’s status as Europe’s leading tech hub.
“Diverging from EU data protection rules in domestic law post-Brexit would undermine this opportunity,” wrote Julian David, chief executive of TechUK, which represents nearly 1,000 UK tech firms, including several FTSE 100 companies.
Tech UK has said that its members have no wish to diverge from the GDPR post-Brexit because a) there is no proof that dropping these rules would impact UK trade deals and b) many tech companies in the UK have already invested significantly in order to achieve compliance with the new EU regulations.
>See also: GDPR compliance: what organisations need to know
“We would caution against the misunderstanding that adherence to the EU data protection regime is incompatible with securing high-quality trade agreements,” added David.
In a statement, the Department for International trade referred to remarks from Fox last August, when he welcomed the position of data flows between the UK and EU.
“With the UK at the forefront of the increasingly digitised global economy, the government is keen to prioritise key areas such as digital trade and investment as we leave the EU,” he said at the time.
“Secure data flows between the UK and EU are crucial for our economic prosperity and these proposals give certainty to businesses and consumers that high protection standards will continue.”
Obstacles to GDPR compliance
Research from Citrix has outlined the four major obstacles to EU GDPR compliance still faced by many British businesses in the run up to the May deadline – highlighting the trouble areas where UK companies are still trying to achieve compliance and how much work is being undertaken to meet these EU regulations.
>See also: What does the UK’s Data Protection Bill mean for businesses?
The poll, of 500 IT decision makers at companies across the UK with 250 or more employees, found that the main obstacles were:
(Lack of) preparation
Almost two fifths (38%) of respondents acknowledge that they are not ready for the GDPR, either admitting that current control access policies are insufficient to comply with the regulation or they have ‘no idea’ whether they meet the regulation’s standards.
Data sprawl
The average large UK business now uses 24 systems to manage and store personal data, but one in five (21%) use over 40 systems to do so. Additionally, almost half (47%) of the respondents share personal data from customers with other businesses – severely adding to data sprawl.
Information overload
On average, large UK businesses that responded to the survey collect personal data from 577 individuals each day. However, more than one in four (26%) large businesses collect personal data from over 1,000 individuals every 24 hours – creating a huge influx of data to store and manage in the enterprise.
>See also: EU Regulation: time to act on corporate data protection
Division on data ownership
Almost two thirds (65%) of the firms surveyed store and manage personal data based on predictive analytics but, interestingly, businesses could not agree on who owned this data. Only a quarter (27%) of businesses believe this data is owned by the customer while half (50%) think it belongs to the organisation.
“The GDPR will do far more than strengthen data privacy rights,” said Chris Mayers, chief security architect, Citrix. “The regulation will set a high bar for responsibility and accountability – and not one that every business will meet. While many British organisations are taking steps to achieve compliance in time for the May 2018 deadline, our research clearly reveals some significant obstacles, including uncontrolled data sprawl and lack of understanding around data ownership.”
>See also: What is the impact of the changing data protection landscape?
“Ensuring data privacy processes and systems are in place – from privacy by design to privacy by default – requires an organisation to know exactly where their data is and who can access it. Yet many are losing sight of data, spread across multiple systems and shared with multiple partners, while also struggling to scale up to store and control the huge influx of personal customer data they receive today.”
“Businesses must recognise that more centralised application and data storage environments will make it easier to meet technical compliance goals. This centralisation can be achieved in various ways, from introducing unified access controls across on-premise and cloud services with single sign-on to rolling out centrally-managed virtual workspaces. However it is done, controlling data sprawl and recognising enterprise accountability around data privacy will be key to GDPR compliance.”
Reaction to David Davis’ speech today in Vienna
In David Davis’ speech today, he outlined the UK government’s commitment to maintaining regulatory standards. However, businesses are eager for more detail and practical progress.
Responding to the speech, Antony Walker, techUK deputy CEO, said:
“We welcome David Davis’ commitment to maintaining high regulatory standards after the UK’s departure from the EU. Tech businesses have been clear that they want the UK to maintain parity with the EU in key areas like data protection and electronic standards. It is in the interests of both tech businesses and their consumers that the UK maintains high regulatory standards after Brexit. Being aligned with the EU in these key areas will be essential for enabling UK firms to trade and compete fairly for business across Europe.”
>See also: Cloud service providers key to avoiding data regulation penalties
“To influence future rule setting by the EU, the UK is going to have to lead by example. That means demonstrating that we are getting the balance right in terms of regulatory approaches that build trust and support innovation. The creation of the new Centre for Data Ethics and Innovation is a good example of where the UK is forward looking and engaging in the global conversation on how the use of new technologies such as Artificial Intelligence (AI) should be governed.”
“It is encouraging to see the Secretary of State recognise the benefits of continued cooperation with the EU on regulation and that he will be seeking ongoing involvement for UK regulators based on a strong commitment to maintaining high standards. However, delivery of his agenda will require realism on the practical compromises that will need to be struck with the EU. It remains hard to see how we can maintain full cooperation on regulations and standards without some mechanism to engage with the European Court of Justice. This is a welcome speech, but businesses are eager to see more detail and practical progress.”