Data Protection Law Changes to Impact UK Organisations

The era of the stable data protection enjoyed by UK companies that has lasted for two decades is set to change.

The EU will address the changes in the technological environment by condensing three drafts of the General Data Protection Regulation into one by the end of the year.

The work on these new regulations has been undertaken to account for technological advances, the proliferation of social media, and the boom in use of big data. Once adopted, UK companies will have only two years to implement all of the new regulations within their working policies, practices, and procedures.

One of the major changes that will be adopted concerns data that will now come under the protection of the law. Currently, the data protection law only applies to data that directly identifies an individual, or does so when combined with other data held by the controlling company. Effectively this means that until now, a company could use pseudonyms, IP addresses, and unique reference numbers without coming into contravention of the law. The new regulations will consider such data as being personal. Consequently, any business that has previously held personal data in the form of pseudonyms will need to change its practices to remain compliant.

While the stringency of the new regulations is unclear at this stage, UK companies should note that a lenient approach to pseudonymous data is opposed by the majority of Europe’s data protection regulators. UK organisations that hold data are advised to begin work now on classifying what type of data they hold and to remain abreast of regulatory changes as they occur.

Data driven business will clearly be most affected, with the holding of data permitted only by statutory need or consent. Consent must be given freely, be specific, and individuals must be given a choice to withdraw consent. This requirement for consent will place a strain on the capacity of data driven firms.

In order to comply with these new regulations, cost effective and comprehensive strategies will be targeted by UK companies. Such strategies include outsourcing data protection and consent requirements under the new regime. This will bring together cross functional working parties (IT, legal, management, and business) to implement the changes required by law. Doing so ensures that organisations remain compliant with the evolving data protection law, and, while not abdicating control of data protection, will utilise systems and processes built for market agility and cost effectiveness.

For more information, see General Data Protection Regulation.

Briars Group provides tailor-made services in the fields of people, finance, tax, and technology to organisations seeking to expand operations in their home territory or elsewhere. The company offers a seamless turn-key solution that is compliant and ensures consistency, with more than 1,000 satisfied clients located across the UK, Europe, North America, and the Far East.