As Brexit talks approach and the start of Britain's exit from the European Union looks set to get under way, the Information Commissioner's Office (ICO) has warned companies not to ignore the bloc's new data-protection regulations, due to come into effect in 2018.
The European Commission's (EC) General Data Protection Regulation (GDPR) aims to streamline data-protection frameworks and citizens' rights across the EU. Brussels has called it an attempt to make "Europe fit for the digital age."
The GDPR would ensure that the personal data of victims, witnesses and suspects of crime in the EU are duly protected. It would also facilitate cross-border cooperation in the fight against crime and terrorism, according to the EC.
It enters into force on 5 May 2018, and EU member states have to transpose it into their national law by 6 May 2018.
Speaking at Wealth Management Association's Financial Crime Conference on Thursday (26 January 2017), Garreth Cameron, group manager for business and industry at the Information Commissioner's Office, said: "I keep getting quips from industry executives that we're leaving the EU, should we really be bothered about making room for GDPR compliance? My riposte is, as far as anyone can tell, Britain would still be a member of the EU in 2018, regardless of where Brexit talks are heading."
Cameron added that even after Brexit, the British government would ensure a similar level of regulatory framework.
"Companies would find it beneficial to ensure compliance to GDPR standards. Data protection is a challenge for both governments and companies alike. We are 20 years into our first data-protection act, and still asking searching questions about the direct of travel... newer challenges are emerging. So don't view compliance standards as a burden but something to enhance corporate reputation with."
No tussle with the FCA
Cameron also denied that there was some kind of rivalry between the ICO and the Financial Conduct Authority (FCA) when it comes to probing and penalising errant players in the finance and banking community.
"We have very good relations at a policy level with the FCA. If there has been a breach that is very large, we have a conversation with the FCA to determine which regulator should take this forward. At times, both regulators act."
Cameron said that like all regulators, the ICO has a range of tools that are available: "Education and advice is our default position. Unless a horrendous breach has taken place demands that we take punitive action, we actually work with business." Commenting on recent high-profile breaches including TalkTalk and Sony, Cameron said that each incident is always a trigger for a conversation to avoid a repeat in the future.
"Furthermore, companies need to undertake a fundamental rethink about the kind and volume of data they hold. The more they have, the more they are vulnerable in the event of breach. So sometimes a data audit is useful to determine holding what is necessary when it comes to end users and customers."