Comment: EU has last laugh on data protection


The EU’s new data protection rules will kick in before Brexit is completed, so UK firms will have no choice but to comply

New data protection rules were adopted by the European Parliament in April and will become applicable to all EU members in two years’ time.

Clearly, these changes took place before the UK referendum but the Information Commissioner’s Office says the Data Protection Act remains law irrespective of Brexit and UK standards must be equivalent to the EU’s General Data Protection Regulation starting in 2018.

Once Article 50 is triggered, it will take two years to agree an amicable divorce. Therefore, the GDPR will be in place in UK legislation before we leave the EU.

Compliance will require changes to how IFAs and mortgage brokers handle customer data. They must show how and when consent was lawfully obtained.

Customers have a right to opt out of any automated evaluation, such as credit scoring, and can assert this right at any time. Under the GDPR, they have a ‘right to be forgotten’ – that is, have their personal data permanently erased.

There must be a reliable process for erasure and those in possession of the data must notify other holders that consent has been withdrawn and data should be erased. This can be difficult due to backups, multiple systems and cloud storage.

Businesses using US cloud servers to store or transfer confidential data should act now to avoid breaking the Data Protection Act.

Cyber crime is a prolific threat so it is vital to train staff to understand the precautions required. Follow these tips to ensure your business is data secure and compliant: install encryption software on all devices (in accordance with ICO requirements); apply due diligence before choosing your data backup provider; choose a compliant cloud service, and apply relevant password-protect software.

Marlon Johnson is managing director of JMS Secure Data