What Does the General Data Protection Regulation (GDPR) Mean for UK Business?

Boards must direct sweeping cultural and managerial changes

There will be serious consequences for UK business when the General Data Protection Regulation (GDPR) (Regulation EU 2016/679) takes hold in the UK and throughout the EU on May 25, 2018 – Brexit will not change this. A “sweeping and comprehensive” reworking of data protection requirements, GDPR will demand changes to business models for UK companies in every sector. All companies will have to reorder the organisation of data processing, but each sector will see changes to the way companies do business as a result of the EU legislation.  UK Boards must plan to direct major cultural changes throughout their organisations.

GDPR brings fundamental changes

The consequences of the General Data Protection Regulation (GDPR) to business in every sector are considerable: Manufacturers expect job cuts; healthcare will see sharply increased expense around the collection and use of personal data; financial services must expect increased auditing and thematic reviews by multiple agencies; the public sector has to develop and implement new strategies.

To give a straightforward example: B2B marketing will now require far more extensive controls for data processing and to manage consumer consent, as the British Direct Marketing Association points out in a recent report.

Nearly every UK business today is dependent on data, and GDPR enforcement in the UK can lead to losing access to data. Analysts agree that UK boards must make the company-wide changes the law requires, creating a new framework for decision-making and a new organizational culture to manage the risks and achieve compliance.

Making these changes will raise costs, and lead to job cuts and management changes in some sectors. Board members and management will succeed or fail based on their ability to chart a clear course. Those that do succeed will, however, create new opportunities for their organisations.

Manufacturers must boost data controls

Some sectors clearly are lagging. The majority of UK manufacturing businesses are unaware of the new wide-ranging data protection rules which come into force in less than a year’s time – despite 18 per cent admitting the maximum fine for non-compliance would force them out of business and 14 per cent saying it would lead to large scale redundancies, according to a YouGov survey of 300 manufacturing businesses.

Fourteen per cent of UK manufacturers think they would need to make significant job cuts with a further 20 per cent admitting that smaller scale headcount reductions will be necessary.

Manufacturers are likely to have access to a large amount of personal data from customers, suppliers, sub-contractors and employees. They must make recording its uses possible, and allowing consent by consumers. Where employees have previously used consumer data for any purpose, there now must be specific reasons to justify its collection and use – this makes for a cultural change.

That change must be directed by a board-level data officer who must take ownership for GDPR compliance across the organisation – this means vast changes in management structure.

Healthcare must redefine “personal data”

For the healthcare industry, personal data is an essential element. But GDPR redefines personal data, creating a special category known as “sensitive personal data.” Use of this data must be specifically justified, and it can only be used in certain cases.

The GDPR prohibits the processing of certain special categories of personal data (or “sensitive personal data”), subject to certain exceptions. The special categories of personal data include, among other things, genetic data and data concerning health.

“Genetic data” includes personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question. The GDPR also defines “data concerning health” for the first time. “Data concerning health” includes personal data related to the physical or mental health of a natural person, including the provision of healthcare services, which reveal information about his or her health status. Organizations operating in the life sciences and healthcare sectors must show that they are within one of the exceptional circumstances set out in the GDPR for which sensitive personal data may be processed.

The calls for a massive reorganisation of management and operations for healthcare companies. It raises costs and will require boosted data controls.

Financial Services require “risk-based implementation plan”

“It’s very clear that the GDPR is a “Game Changer” in data protection and privacy and as a result FS firms must now urgently start to create a risk-based implementation plan rather than delay this process,” advises Bryan Foss, one of Europe’s leading governance and data protection experts.

All of the data controls we’ve discussed above apply to financial services, of course, meaning that the same kind of boardroom-led reorganisation is required  for banks, brokers, wealth managers, etc.

The Financial Conduct Authority, the main watchdog for the financial sector in the UK, and the Information Commissioner’s Office will be working together to audit the sector. Thematic reviews will be increasingly used in these audits, and this will put extra pressure on financial institutions to make certain they are compliant.

New organisation, new culture, new procedures

Regardless of the sector, a unified data protection regulation brings a whole new set of challenges. Companies need to evaluate their data processing and security practices to implement procedures for consumer consent, sensitive data authorisation, notification to the Commissioner’s office, and notification in case of data breach.  However, for companies that have never prioritised data protection before, the next two years will place a considerable onus on compliance.

Says London-based data protection lawyer at the Taylor Wessing group Vinod Bange:  “The obligations on processors mean that large numbers of organisations are going to be brought directly into the data protection regime for the first time. Coupled with the increased audit trail requirements, boards must take steps to take up this greatly increased compliance burden under the GDPR.”