Data Protection: A Crisis in Waiting

The recent troubles at Credit Suisse and Capita have highlighted how inadequately preparing for a crisis, from operations to communications, can damage the overall business and have a significant financial impact. The lessons from Credit Suisse are ones which businesses and investors should consider when new legislation or regulation arises.

Now there is a potential new crisis just over the horizon for many businesses with the new Data Protection and Information Bill. With reputational risks for those which fall under the stricter measures for sensitive data and operational impacts for those who may suffer from the consequences if the UK is removed from the EU’s whitelist for international data transfers.

Although the number of businesses reporting cyberattacks has dropped, the UK Government has indicated in its ‘Cyber security breaches survey 2023’ that this is due to underreporting from businesses, especially smaller firms or those struggling financially. As the UK economy slows, businesses should be wary of ignoring their legal cybersecurity obligations and, in a similar way to other crises, the reputational and financial implications could be considerable. While the UK Government has claimed that the Bill will ease the burden on businesses, the devil is in the detail with more burden on companies processing high risk data and reduced burdens on those which fall outside of this scope.

Divergence from the EU

Although the Bill presents many challenges for businesses, there are also opportunities. The new framework for international data transfers is expected to make it easier for businesses to transfer personal data across borders if data protection standards are maintained. This is important for businesses that operate in multiple countries, as it reduces the burden of complying with different data protection laws in each country. As the Bill is in its infancy, there are still opportunities to influence the legislation and many businesses and investors are hoping the UK remains on the EU’s whitelist for international data transfers.

Digital technology becoming part of our everyday lives is part of the reason why earlier this year the UK Government re-introduced a new Data Protection and Information Bill. This piece of legislation had a rocky start which saw the Government withdraw the Bill due to significant concerns raised in the House of Commons. Many businesses hoped this Bill would ease some of the difficulties they have encountered with GDPR. With burdens from GDPR being eased under this legislation for small businesses or those in scientific research, this is another sign of the UK’s legislative divergence from the EU. However, if businesses are operating in both the UK and the EU they may be required to consider different regulations and requirements.

Increased Scrutiny for Businesses

In an increasingly digitalised world, cyberattacks, data breaches and organisational failures have seen companies suddenly thrust into the spotlight and their adherence to regulation put under a microscope. Reputationally, the 24-hour news cycle is not kind to those who are ill-prepared. Politically, select committees in the House of Commons are becoming increasingly media-savvy and will rapidly summon businesses to appear before them to answer a tough list of questions. Financially, the fines are already large, but these are about to increase and become more frequent.

This new Bill’s stricter regulations on large businesses or those with sensitive data could increase the likelihood of a crisis event occurring and damaging a business’ reputation. How companies respond to sudden scrutiny, especially where there have been corporate failures, will increasingly have long-term implications for their reputation.

Marketing Changes

Customer communications were a large focus of GDPR with many people bombarded by subscription confirmation emails back in 2018. Companies will once again have to adapt as there will be a new statutory code of practice for direct marketing, a new regime for data brokers, and a new framework for international data transfers. For international retailers, some of these new rules could be tricky to navigate if they are to avoid fines and legal action.

Foreign Investors & International Data Processing

The change in regulations on data processing outside of the UK are likely, in part, aimed at the current conversations stemming from geopolitical tensions. Organisations should seek to get ahead of geopolitical tensions when attempting to enter any market. In the UK, a lack of attention to external factors has already been seen to damage the reputation, operations, and finances of multiple international organisations. The company at the heart of this debate has been TikTok and its parent company ByteDance which is headquartered in China. The reason for this scrutiny is, perhaps, because both the West and China continue to tighten their grip on technology supply chains and data processing to offset any perceived security threats emerging, especially from digital tech.

The new Data Protection and Information Bill is a significant update to the UK's data protection laws, especially in comparison to the EU. It is also a reflection on the increasing securitisation of UK politics which can impact companies who do not act to protect their reputations or assets. This new piece of legislation will likely play a role in the ambitions of the Government, particularly the Chancellor, to turn the UK into the next global technology world leader.