Sally Cosgrove: Hello everyone and welcome to the next episode of Beyond Brexit. Today, we’re discussing the General Data Protection Regulation or GDPR as it is commonly known, which will be implemented in May of this year, and we’ll be discussing how Brexit developments may affect the way in which the regulation impacts business.
I’m Sally Cosgrove your host, taking over from Gaenor Bagley. I’m delighted today to be joined by Kevin Burrowes, our Head of Clients and Markets; and Stewart Room, our Lead Partner for GDPR and Data Protection.
So, welcome Kevin and Stewart. So firstly Stewart, let’s start with you. To give the session and our listeners a bit of context, can you give us a brief overview of GDPR and why it’s so important?
Stewart Room: Yes of course, it’s the next step in European and UK data protection law. So, we’ve had data protection law in Europe since 1968, in fact, that was when the first law was passed. What the law does is, gives consumers more rights over their data, and it gives them more power to enforce a law. So, for instance, they’ll have a right of data portability and a right to pursue compensation claims if they want to.
It also gives the statutory regulators, in this case, the Information Commissioner, more enforcement power, so they can take audit steps if they want to, and intervene in business.
But, at the very heart of it is essentially a new code of practice for good data handling by organisations, businesses, public authorities, etc., and if businesses follow that code of practice, then they should come to good outcomes with personal data.
Sally: So, very important to all businesses, no matter what the size or shape of those businesses is?
Stewart: Yeah, absolutely right. There is no real limitation on business size, and it goes all the way across the economy into the third sector as well as the public sector and private sector.
Sally: Okay, so Kevin you spent a lot of time in your role, talking to our clients about their issues and their challenges that they face. So, where did GDPR preparations stand in terms of their overall priorities at the moment?
Kevin Burrowes: Yeah, I think, it’s really interesting, you know, this is quite a complicated set of rules, and what we are seeing is, sort of, very different approaches. At one end, you’ve got some organisations, who are really focused on this, that are spending the right time with the right level of programmes; really thinking about, right, what outcomes do we need to achieve, and already, you know, you are beginning to feel that in the, sort of, the contracting in the corporate world today.
You’ve got other organisations that perhaps are focused on this, but thinking about it more of as a tick box sort of exercise, and they may be patting themselves on the back saying, ‘you know, we are doing okay’. But I think they have to be very cautious that this is not about tick box, this is really about rights, it’s about the availability of data, it’s about obligations for companies around data, and they could come a little bit unstuck.
Now lastly, you’ve got a category of organisations, as we’ve heard, you know, this impacts everybody, where perhaps they’ve not started. They have not really thought about it. They have not thought about their business processes and how that’s going to be changed. So, it’s not too late for them, because clearly, although it’s getting implemented in May, there is still time, and there is time beyond May, still to put in place the right protocols to comply, as we’ve heard.
So, you’ve got those three different groups, and I think companies need to look at themselves, say ‘right, where are we, where do we sit, and what do we need to do?’ Some need to go really quickly now; some need to, maybe, change the approach; and others are well on track.
Sally: Great - and helpful overview. So bringing it on to Brexit, given we’re on a Brexit podcast - what might the potential impacts of Brexit be for GDPR?
Stewart: Well, when Brexit happened, the General Data Protection Regulation will not exist in our law automatically. So, in order to deal with that, Parliament is moving the Data Protection Bill through those parliamentary processes. That is due to be receiving royal assent this year. So, we will have our own national legislation that replicates the GDPR; and in fact takes it much further than the GDPR actually goes. For example, it takes the GDPR into the intelligence services, which is missed by the European scheme, and it takes it into parts of the public sector that are missed by the European scheme. So, the UK will have effectively ‘GDPR plus’ after Brexit. So, in that sense, we can be confident that our preparations that Kevin mentioned are to good value and to gain.
Kevin: And I don’t think many have really realised that actually it is ‘plus’, isn’t it - it is quite a significant onward step from what GDPR is, isn’t it?
Stewart: It is, I mean, for people who are hoping that we don’t have a data protection law because of Brexit. I think it’s important to understand that it was the UK that proposed the GDPR in the first place, it wasn’t France, Germany, Spain, Italy; it was us. So, we are getting a law that is built in our own image in light of the perils that the UK economy is understood. For instance, security breaches being a big concern, Kevin.
But one of the big issues that’s been dealt with politically, is the question of adequacy. So, the basic idea is, you want information about people to flow internationally, otherwise business will grind to a halt, public services will grind to a halt.
The European scheme allows data to flow freely within the European Economic Area. When we leave, we are outside of the area, so we will not be able to flow personal data from Europe into the UK without a mechanism to do so. Presently there is a power for Europe to confer an adequacy badge or decision on another country. So, Europe could say, ‘yeah the UK is great, it’s got good law, good regulatory practice, a good judicial system, and therefore the UK is adequate, and there will be no barriers to receiving data from Europe’. If that doesn’t happen, there are mechanisms built into the legislation for businesses, and private sector, and public sector entities to use. For instance, you can put in place contracts to allow data to flow from Europe into the UK.
So, the positive message in all of this is there are no fundamental barriers despite Brexit to moving data from Europe into the UK, although some of them contain administrative burdens, that will be problematic, particularly in the small business environment.
Kevin: And I think this is a really important point because this ‘oh GDPR might not happen because of Brexit,’ you know, I hear that actually quite a lot, and you think, ‘no, no actually we’ll be further than that’, and you really need as an organisation to really pick that up and push hard on it.
Stewart: Absolutely right.
Sally: And Stewart do you have a view on adequacy and how likely that decision is for the UK?
Stewart: Yeah, I do. My personal view is, when you look at the legislation, look at our regulatory scheme, look at the access to justice that we have to go to court, and the attitude of the judges; and then look at the professional and industry rules that we have around data handling, for instance, in the legal profession, the accountancy profession, medical profession. Collectively, I cannot believe that the UK could be regarded as inadequate as a matter of fact and law. The only reason I can think of, for denying that decision would be purely a political reason.
Sally: Right, okay - but regardless, is what I am hearing from both of you, businesses should be pushing on with their preparations because actually the UK law takes it further.
Sally: Okay, and so Kevin - over to you. Do you think that government is taking the right approach with all of this?
Kevin: Well, I think it’s very interesting when you look at the industrial strategy that the government launched last year; and it talked very clearly about what it wants to create for the UK economy around ideas, great communities, great infrastructure, etc.
So, the sort of view of where the government wants to take the UK economy is well set out in that paper, and of course, in that paper, there was also four grand challenges that the government saw. And I don’t think it’s without coincidence that the first one of those is how do you create an economy that maximises the potential of data and of artificial intelligence really. And what’s really critical, therefore, is that we are very, very clear about what do we mean by maximizing data. And at one level there’s how do you use it, how do customers use it, how do businesses use it, how do you use that data for your own benefit? But, quite clearly, what GDPR is all about, is about the rights and the protections, and the obligations. And getting that right and making sure that we have got an economy that’s built on some really strong foundations of regulation around data, I think is absolutely critical, and that’s why it’s one of the grand challenges.
We’ve got a long way to go to get there, but it’s recognised by the Government, and I think therefore, you know, hopefully we will see both political and business-will to make sure that happens.
Sally: And, Stewart - do you think that that vision, I think, that Kevin has just set out - do you think that’s recognised by businesses as they’re going about the implementation of GDPR?
Stewart: It’s a mixed picture, Sally. Some businesses recognise the larger political aspirations around the industrial strategy, etc. But as Kevin was indicating at the beginning, a lot of entities are stuck in a tick boxing exercise. So, they are not really lifting their heads above the parapet of the legislation itself, so it’s a mixed picture.
Kevin : What’s going to be really critical here, and what we are already seeing, is this is an area of potential competitive advantage for organisations. Imagine if you’ve got a choice between engaging with one organisation or engaging with another organisation, and one has got a great history of looking after data and protecting data, and you know, been able to give you access to your data, and another one has, you know, done badly in that area. I think, both individuals and businesses are going to decide to transact with the one that they trust around their data.
And so, those organisations that are saying, ‘right this is about competitive advantage’, - they’re the ones that are actually going to actually take that competitive advantage, because they will put in place the right protocols, and the right controls, and the right oversight, the right governance to enable that to happen.
We’re already seeing it in our business. Many of our corporate customers are starting to ask us ‘what are you doing with that data, how are you doing it, how can we act, and what the controls’, etc. So, already we’re seeing that come home for us, and you know, the government is very interested when they are contracting with us, for example, ‘how do you control all this?’ So, it’s going to be a source of huge competitive opportunity for corporates as they start to move into this, sort of, whole agenda, I think.
Sally: So, lots of opportunity for businesses, I’m hearing.
Stewart: Yeah, absolutely just to take one of the Kevin’s points, the public sector, the government will make GDPR compliance a mandatory requirement to be able to receive an invitation to tender or request for provision. So, you can’t even compete if you haven’t put those foundations in. So, lots of opportunity to do well. If we look at the UK being a bridge still between the United States, the rest of the world, and Europe, we have a fantastic data processing history in this country that can be built on, and potentially to ameliorate any of the stresses of Brexit in terms of economic loss. So there is a huge amount of gain opportunity here.
Sally: Stewart, what do you think employers should be doing right now? How should they be preparing their staff for GDPR, given its just such a massive change?
Stewart: I think the key issue is really to create awareness at this stage that the legislation is imminent, it’s on its way, and to provide core education around the key rights and principles of the legislation, I think that’s self-evident. But if we move beyond that, I think it’s about explaining to employees the scenarios that will be most impactful.
So, rather than simply say the citizen would have a right of access, explain how that may be used and when and why, and think about the places where those important matters may land first.
So, should we be looking at employees in a contact centre for a consumer facing business, more sooner than in another part of business; and also remembering that when data protection stress has been suffered by entities, it’s not just being inbound from customers or business partners, but the activities of the employees themselves.
So, for instance, if an employee makes a mistake that can create data protection liability. We’ve also seen that when employees have left, let’s say under a cloud, data protection has sometimes been weaponised in a litigation context, in order to further industrial relations and employment law litigation.
So, I think we need to be aware about those matters as well, when we are thinking about the employee inside of data protection.
Kevin: Stewart, you talked there a little bit about, you know, some of the obligations, and we’ve talked about competitive advantage, but on the other side, there is some quite big threats of enforcement and some quite big consequences for getting this wrong.
Do you want to say couple of words about that, because I think they are the ones, where people go, ‘oh dear, oh dear really? That’s the consequence of this?’
Stewart: Yes indeed. So, I mentioned at the beginning that there are more, essentially enforcement powers for the citizen, the regulator. So, for the citizen, they will have the power to pursue compensation claims if they are distressed about an act of non-compliance. So, what that means is, they won’t have to show that they’ve suffered any physical loss, any financial loss - they simply need to say there is an absence of compliance. If that’s proven, they will be entitled to compensation. So, that’s a big, big risk.
As far as the regulator is concerned, as well as the power to step in and conduct audits and order the cessation of processing activities, they will be able to impose fines of up to 4% of annual worldwide turnover. So, we combine that fining power with the litigation risk, and we do have one of the most extreme financial risks that any regulatory scheme has built for the economy.
Kevin: And I know we’re already doing some work for the regulator into a couple of these areas, where the regulators go, ‘well, has data been misused inside a corporate?’ Now, the consequences post implementation are much, much bigger, aren’t they. So, this is a real risk, it’s not something, that we think is not going to happen, for example. It’s a real power, the Commissioner has already started to use those powers more aggressively, and we are going to see more of that aren’t we?
Stewart: Absolutely, we have a long track record of active enforcement in the data protection environment in the UK. We track those decisions at PwC if anyone wants to read about them, and the Information Commissioner has been given greater latitude from government to hire staff and increase pay to get better people in, more people in, people with more skill range. So, what we would expect is that to coalesce as a greater volume of enforcement activities going forward.
Sally: So, more downside risks than ever before within data protection?
Stewart: More downside risk, but as we are saying, a huge amount of opportunity as well.
Sally: Huge amount of opportunity as well. Okay, so I think we will start wrapping up there. Final thoughts from you Kevin, before we do wrap up?
Kevin: Look, I think this is such a critical area. We are helping a whole bunch of different clients actually with workshops, with, you know, preparatory type activities. We’re seeing, as I said earlier, a whole range, I think the critical thing, I go back to, I have said it already, is this can be a huge competitive advantage. It is going to hit us. It is going to come to UK corporate world if you like, and it is something, I think, that has to be taken very seriously, but with the view to, ‘how do we maximise the advantage of this’, as opposed to, ‘oh, here’s another set of regulations.’
Sally: And Stewart - final thoughts from you?
Stewart: Well, I certainly echo all of the positive. I think to add, this isn’t something that is just a one off event. So, for instance, if we don’t see lots and lots of fines in 2018, don’t sit back and think ‘phew, that was a load of rubbish’. This is in perpetuity. It is going to be here forever, and the enforcement regime will be here forever. So, I think that’s the first key point.
The second point for organisations that are struggling to get to grips with this, particularly smaller businesses, is there is lots of really good free know-how out there to help them. So, go to Information Commissioner’s website, look at industry bodies - there is lots of good stuff. And at PwC, we’re launching, in April, a portal for small businesses with a free assessment questionnaire that will help them orientate themselves on their current maturity levels and where to go.
Sally: Great, well thank you both Kevin and Stewart for your insights. And thank you everyone for listening. We hope you will join us for the next episode of Beyond Brexit. Remember to subscribe, to keep up to date with the latest episodes, and you’ll find all of our Brexit related content at www.pwc.co.uk/brexit.
Brexit enquiries, PwC United Kingdom