General Data Protection Regulation (GDPR) is one of the EU regulations that the UK has committed to retain when the UK officially leaves the European Union. The regulation was adopted on 27 April 2016 by the European Union and becomes enforceable on 25 May 2018.
GDPR is designed to protect the personal data of all EU residents and visitors. The regulation will do so by providing standardized data protection laws across the EU and establishing personal data freedom as a fundamental human right.
Given the number of data breaches in the last few years, the regulation is important. However, it may come at a cost to the economy, and to businesses that fail to properly prepare.
The law applies to any company that stores information about a citizen in Europe. That also applies to companies outside Europe that sell to citizens on the continent. Therefore, even without the government’s plan to adopt this EU regulation, UK companies that have customers and/or clients in EU countries would still need to comply.
Where previous legislation may have left a lot open to interpretation, GDPR is very specific about which entities are responsible for protecting data. It’s also very specific about what constitutes personal data. And, the penalties for non-compliance are severe too, with fines as high as €20 million or 4% of an organization’s total global revenues in the previous year.
The regulation will affect many businesses in the UK, including small businesses. Yet, by June this year, 61 percent of companies had reportedly not yet begun GDPR implementation.
The impact on the economy could be wide-ranging. Given the possible level of non-compliance, it may come in the form of fines, which The Financial Times have estimated could reach billions of pounds for large companies. It’s even less likely that companies outside of Europe will be ready. This may result in certain companies being blocked from doing business in the UK, which could have knock-on effects throughout the economy.
But compliance will come at a cost too. The regulation is likely to have a disproportionate impact on start-ups and SMEs. All companies that gather any form of data on customers will have to be able to supply that data to each customer if requested to do so. In addition, if a customer requests them to delete specific data they will have to do that too. The capacity to do that could be a far bigger burden for smaller companies that don’t enjoy the economies of scale that large companies do.
The types of companies that will be most affected are those engage in big data analytics and those that prospect for customers using personal data. This will also affect some companies that outsource data analytics, and of course the companies they outsource to. In order to comply with the regulation, they may have to move these roles in-house.
Banks, which store massive amounts of data, will have the added burden of dealing with the potentially conflicting requirements of MiFID II and GDPR. The former requires that certain data be kept for at least five years, while the latter may penalise companies for keeping data they’re not allowed to.
However, there are manageable solutions for companies that take the right steps. For instance, if data is anonymized by removing personal details from each record, the data can be used for analysis without breaching the regulation.
Companies can also store data as long as they have customers consent. They just have to make sure they have that consent and manage data appropriately. In short, the GDPR asks companies to take responsibility for customer data.
The overall impact on the economy will come down to the way companies approach GDPR. In some ways, companies have taken liberties with data in the past. If the UK’s companies now become proactive and manage data responsibly, the impact will be muted. In that case, it will only be a few companies that mine and share data that will be affected, and there should be little impact on the overall economy. On the other hand, if they treat is as a nuisance and take only superficial steps, we may see some large fines being handed out.