Business Law & Compliance
One year warning: Why Brexit doesn’t mean the end of GDPR compliance for UK businesses
6 min read
24 May 2017
Legal expert Dan Hyde, partner at Pennington Manches and the founder of CyberCounsel, explains why GDPR compliance is not something that can be ignored by British businesses, just because we're leaving the EU.
GDPR (General Data Protection Regulation) was conceived and issued in Europe, but it cannot be ignored by UK business – whether large or small – and failure to prepare and ensure GDPR compliance now will spell disaster.
The importance of GDPR cannot be overstated and it will take effect in exactly a year on 25 May 2018. Diarise that date. There is no doubt that leaving the EU will not hold back the GDPR tide.
On 25 May 2018 we will not have departed the EU and will thus remain as an EU member state. GDPR will consequently become domestic law here in the UK. That means complying with the new regulatory landscape or face penalties on a scale previously unforeseen – with staggering fines of up to the greater of four per cent of total global annual turnover or €20m.
Those are breathtaking sums, and for a smaller size business can represent a serious dent in profits, or, depending upon the size of the fine, have a terminal effect.
The fines are divided into two tiers, with the lower tier aimed at less serious contraventions but which still attract significant penalties of up to the greater of €10m or two per cent of total global annual turnover. Given that the lower tier, aimed at the less serious contraventions, allows for such vast fines to be levied is an indication that breaches will be dealt with severely.
What happens when we do leave the EU and are no longer a member state?
In my view, GDPR or regulations that mirror GDPR must continue to apply in the UK. GDPR applies to any size of organisation that collects or processes an EU citizen’s personal information. The focus is on protecting the individual’s personal data. It would apply notwithstanding the organisation may be based or physically located elsewhere and not within Europe.
It will not be possible to conduct business that triggers the application of GDPR due to the nature and use of the personal data involved without complying with or being subject to the GDPR regime. The regulations have a jurisdictional reach that stretches across borders to protect EU citizens and the use of their personal information.
If the UK remains a part of the European Economic Area (EEA) after leaving the EU then GDPR must remain in force as UK domestic law. Should the UK not remain part of the EEA after Brexit then if GDPR was no longer in force it would be impossible to lawfully transfer EU personal data to the UK from member states unless the UK adopted equivalent and adequate regulations. In short, GDPR, or GDPR under another national badge, will continue to bite and will be here for the long term.
What should businesses be doing about GDPR compliance?
The short answer is obtaining expert GDPR compliance advice now. Whatever the size of the business, if the control or processing of personal data is involved this should be an urgent priority.
GDPR has tightened the need to obtain consent where personal information has been taken. In relation to special categories of information, such as medical or health related data, explicit consent of the individual may be required and businesses will need to be aware of how this applies to them and the measures they need to adopt to ensure compliance.
Data Protection Officers (DPOs) may need to be appointed, but only “where the core activities consist of processing operations which require regular systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions or offences”.
All organisations must be ready and able to properly notify a breach in 72 hours unless it can be shown this was not done because it would have resulted in a risk to the rights and freedoms of individuals.
Other changes include allowing the right to access and the right to be forgotten, essentially by way of deletion so that a controller of data deletes the specified personal information and ensures it is not shared with third parties.
GDPR is aimed at improving the protection of an EU citizen’s personal information. In many ways these regulations lift data protection to a new level of compliance that is perhaps understood in relation to anti-money laundering regulation where compliance officers and disclosure are part of the landscape.
The new data protection landscape is on the horizon and for those that do not prepare there may be penalties that are impossible to recover from.