The UK has always made it clear that it intends to adopt major parts of EU law, and its new Data Protection Bill is proof. However it’s already apparent that the EU isn’t going to let the UK have it easy. Earlier this year it issued a notice to stakeholders to be prepared, reminding everyone concerned of the “legal repercussions, which need to be considered when the United Kingdom becomes a third country”.
Potentially it’s just posturing on both sides and the UK and the EU will come to an amicable agreement, but just in case, there are three key areas concerning data protection worthy of closer inspection in how they relate to GDPR today.
Local legislation can still apply
Already Germany is introducing stricter control over data protection officers including appointing one where 10 or more employees are processing personal data; Poland is proposing broadening the scope of processing employee personal data, but only in certain sectors such as banking; and the UK is making some personal data, such as that belonging to people with criminal convictions, exempt from requiring consent.
Despite supposedly being a unified legislation, organisations will still need to consider local laws in deciding how to process personal data under GDPR. While it’s doubtful that a company would get away without some form of penalty if caught processing information from one EU country in another EU country with less restrictive legislation, there will undoubtedly be some that try.
The difference between PII and personal data
The term Personally Identifiable Information (PII) and personal data are often interchanged. But under GDPR, personal data covers much more including IP and MAC addresses, cookies and RFID tags; all of which can be combined with unique identifiers and other information to identify data subjects.
But it’s not just the additional level of personal data that organisations need to consider. Depending on the agreement struck, the UK could potentially be left out of the EU-US Privacy Shield, leaving it unable to transfer data easily to the EU and the US. While this surely will be resolved, it will add an extra layer of complexity for businesses caught in the middle.
Cross-border data transfers
It’s also worth noting that while being certified under the EU-US Privacy Shield will afford organisations some level of readiness it does not guarantee full compliance with GDPR. For example, being certified for the cross-border data transfer framework is only relevant to the protection of personal information in transatlantic data flows. How data is processed, the type of data and the scope allowed, a key purpose of GDPR, isn’t covered.
And while you’re looking at the Privacy Shield, don’t forget to consider China’s new Cybersecurity Law (CSL), which details its own cross-border data transfer network conditions and goes well beyond the scope of personal data to include business information too, perhaps proving that data really is the new oil.
For organisations grappling with nuances of GDPR, the key is not to think within the confines of one piece of legislation but to plan strategically for the future. Placing data privacy at the centre of capturing, archiving and retrieving information will not only help you comply with today’s legislation, but be better prepared for the even tighter regulation that is sure to follow tomorrow.