Just as British business is getting to grips with GDPR, the UK government announces that it's going to change data protection rules all over again. Colin, what can British businesses do to prepare?
The new data protection bill is a long overdue update to the outdated Data Protection Act of 1998. And it does uphold most of GDPR principles. But we are seeing that UK government decided to make some leniency in some areas that support primarily things like academic research and the financial institution. Which will make those businesses far more attractive to the UK.
But also they're being tougher on legislation and litigation, which is a key area in GDPR.
Are there any big differences?
They are being more lenient in some areas, relaxing some of the GDPR rules. And they are also being more stringent. And litigation is a key feature here.
But presumably, in order to trade, the British rules are going to have to follow GDPR more or less.
Well, yes. Because the problem we've got is, for one thing, we're going through Brexit at the moment. And we're negotiating our way out. But we have to be over to be in a position to still support all of our business through trade agreements. Now, if we also leave the European economic area as well, we will be treated as a third country. This means that our policies for security and privacy come into question.
And that also then means that if we don't adhere to them, then we will have problems negotiating our own trade agreements. This is going to have an impact on data flow between the UK and the EU. And then in turn, it's going to maybe affect or even drive up consumer pricing.
So what advice would you give to a business to prepare for this uncertainty?
The ICO are there to help. They are providing a lot of information. I do encourage businesses to engage with the ICO, and be open and honest with them. Although don't just leave it to chance. Don't leave yourself to the last minute. Because although the ICO are there to help, there's also been a history of such organizations making example of the first ones to be caught out in a big way.
So don't be the worst by being the first is really my motto.
And what about internally? Can you give us an idea of how you guys are dealing with this in your own systems?
In my honest view, like any forward-thinking company, we want to be doing the right thing here. And for us, as an international company, we need to be supporting both GDPR and all global data protection and privacy rules. So we are setting up frameworks. We've set up frameworks to make sure that we put in place the right governance, making sure that there's a good reporting structure.
But it's not just about what we're doing in our programming and the solutions that we provide to our customers. It's making sure that everybody in our organization is educated, understands what personally identifiable information is, and they know how to handle it, and what to do if there is some question about it. So my advice to everybody is make sure you train everybody and get things in place as soon as possible.
GDPR is more than just a hassle for companies. It can be an opportunity, too.
Oh, exactly. I mean, people have been focusing on, and the media has been focusing on, the extensive penalties that are coming in, but also organizations missing the additional litigation and class action provision that could be there.
But let's not focus in on that. This is a fantastic opportunity for organizations to disrupt the market, to become much better, provide the facilities and the protection that data subjects require, be outstanding, and uphold what we really need in today's data-rich over-sharing environment.
And turn it into a competitive advantage.
Absolutely. It is a competitive advantage for people. And that's how they should be viewing it and budgeting for it.
Colin, thank you very much.