Although many companies are effectively preparing for the new regulatory environment of the General Data Protection Regulation, many are not. There are anecdotal suggestions that some companies have abandoned existing compliance efforts under the misapprehension that Brexit will make the GDPR irrelevant within the UK.
That is not so, for two reasons. The most obvious is that the GDPR, taking effect as it does in May 2018, will be in force well before the earliest possible date for Brexit, and organisations will therefore be subject to its provisions for at least a year (and probably rather longer).
The other reason is that, however isolated the UK is after Brexit, it will still need to take part in cross-border data flows, not least those involving the US.
There is a third reason: many of the provisions of the GDPR are things which companies ought to be doing anyway, with or without a regulatory whip at their back. To take one example, the GDPR will require organisations to report data breaches (and these are very widely defined) within 72 hours of their occurrence. While the potentially significant GDPR fines are a big spur to action, so too are the risks which follow from negative customer reactions, from shareholder unease and from other factors which matter very much for a company’s profile.
FTI has long had significant expertise in this area. Its webinar on 18 May, done in conjunction with Bloomberg BNA, will cover (among other things): Continue reading