Businesses considering getting involved more closely with other tech companies in the U.K. previously ran into issues due to protocols formerly strictly enforced overseas regarding data security. For a time, it was even advised for eDiscovery reasons that U.S. and U.K. companies not store information with the other, as it could make requests difficult to impossible.
Now it looks like the U.K. is getting even looser with its data protection than America, as a recent report from the Register reported. The EU Council of Ministers no longer will require every U.K.-based company to meet full compliance requirements.
Fast and loose
The council's reasoning behind the move toward more lax security requirements is that not all businesses can afford to take the time or divert the funds to meeting full compliance. Handing down fines or other repercussions against these entities could harm the overall health of the company, so the EU decided it would be best to allow these businesses to simply ignore the parts of data protection guidelines that don't work for them.
The General Data Protection Regulation (GDPR) isn't even a year old and already it's being redacted partially. Previously the EU took a strong hand toward the protection and maintenance of personal individual information, but now it is changing the definition of "personal data" in order to make it easier for companies to meet the guidelines. Rather than raising the bar, the GDPR gives technology storage and other vendors permission to relax data security.
Not everyone in the U.K. is happy about this move, understandably. The Ministry of Justice (MoJ) has already stated in a report by Out-Law that it wants the EU to reconsider the decision, as it feels it will lead to additional data breaches and threats by creating a false sense of achievement and standards among data security entities.
"The [Commission's] Impact Assessment does not assess the cost of many measures that will have an impact on business," said an MoJ official. According to the source, the MoJ wants all businesses with more than 250 employees to be required to hire a data protection or similar IT specialist. It pointed out that the financial impact on private individuals and public companies would far outweigh initial savings a business would enjoy for not meeting previous EU standards.