What happens when we do leave the EU and are no longer a member state?
In my view, GDPR or regulations that mirror GDPR must continue to apply in the UK. GDPR applies to any size of organisation that collects or processes an EU citizen’s personal information. The focus is on protecting the individual’s personal data. It would apply notwithstanding the organisation may be based or physically located elsewhere and not within Europe. It will not be possible to conduct business that triggers the application of GDPR due to the nature and use of the personal data involved without complying with or being subject to the GDPR regime. The regulations have a jurisdictional reach that stretches across borders to protect EU citizens and the use of their personal information. If the UK remains a part of the European Economic Area (EEA) after leaving the EU then GDPR must remain in force as UK domestic law. Should the UK not remain part of the EEA after Brexit then if GDPR was no longer in force it would be impossible to lawfully transfer EU personal data to the UK from member states unless the UK adopted equivalent and adequate regulations. In short, GDPR, or GDPR under another national badge, will continue to bite and will be here for the long term.What should businesses be doing about GDPR compliance?
The short answer is obtaining expert GDPR compliance advice now. Whatever the size of the business, if the control or processing of personal data is involved this should be an urgent priority. GDPR has tightened the need to obtain consent where personal information has been taken. In relation to special categories of information, such as medical or health related data, explicit consent of the individual may be required and businesses will need to be aware of how this applies to them and the measures they need to adopt to ensure compliance. Data Protection Officers (DPOs) may need to be appointed, but only “where the core activities consist of processing operations which require regular systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions or offences”. All organisations must be ready and able to properly notify a breach in 72 hours unless it can be shown this was not done because it would have resulted in a risk to the rights and freedoms of individuals. Other changes include allowing the right to access and the right to be forgotten, essentially by way of deletion so that a controller of data deletes the specified personal information and ensures it is not shared with third parties. GDPR is aimed at improving the protection of an EU citizen’s personal information. In many ways these regulations lift data protection to a new level of compliance that is perhaps understood in relation to anti-money laundering regulation where compliance officers and disclosure are part of the landscape. The new data protection landscape is on the horizon and for those that do not prepare there may be penalties that are impossible to recover from.Share this story