The future may be uncertain over Brexit, but tough action on data protection is assured
As the UK faces up to Article 50 negotiations next year, businesses seeking certainty may have found it in short supply. Indeed, in the famous parlance of former US Secretary of Defence Donald Rumsfeld, there are many "known unknowns" and "unknown unknowns".
Helpfully, though, one major issue for business can be moved across to the 'known known' column - data protection.
UK Digital Minister Matt Hancock MP recently announced the Government's intention to adopt the EU General Data Protection Regulations (GDPR) in 2018, irrespective of where the UK sits in the Brexit process.
So, how will this impact for Northern Ireland businesses?
The UK Information Commissioner's Office (ICO) currently has the power to impose monetary penalties of up to £500,000 for serious breaches of the Data Protection Act.
The £400,000 fine recently issued to internet service provider TalkTalk for a major data breach is the highest penalty the ICO has ever issued.
Under the GDPR, data protection authorities will be able to impose fines of up to 4% of the annual global turnover of a business, or €20m, whichever is the higher.
Analysis carried out by Pinsent Masons, has revealed that the top 100 companies by revenue in Northern Ireland could face a substantial hike in fines – indeed the total fines which could be faced collectively by the top 10 companies in Northern Ireland by revenue at the maximum of 4% of turnover would be close to a staggering £300m for their Northern Ireland figures alone - a drop in the ocean when you add in global revenues.
Data protection issues are rocketing up the agendas of many boards, given the potential risk of huge fines, damaging publicity and loss of customer confidence if a breach occurs.
This risk is compounded by the fact that the new regime requires mandatory reporting of serious breaches to the Regulator within 72 hours of their occurrence.
GDPR will become law on May 25, 2018. Businesses therefore have less than 18 months to ensure that they are GDPR-ready.
To be prepared for GDPR, businesses should carry out an internal review immediately to identify any gaps or weaknesses in supply chain, staff training, IT infrastructure and procedures. Under data protection laws, an organisation must have adequate technical and organisational measures to protect information. This means that being a "victim" of a cyber attack could also lead to enforcement by the Regulator for not having adequate security. Time is ticking and a thorough audit now will allow businesses to implement any necessary changes before the new regime becomes law.
In addition, businesses should have in place an incident response plan, so that if a breach were to occur, a clear process exists to make sure the organisation knows how to respond within the short 72 hour window.
With Brexit placing many businesses in a state of flux, this concrete action will enable firms to plan one central part of business strategy in the months of uncertainty ahead.
Laura Gillespie is the litigation and regulatory partner at Pinsent Masons