For some time, there has been confusion about Brexit and the GDPR. But with less than 500 days remaining before the General Data Protection Regulation (GDPR) comes into force, it’s time for enterprises to begin preparing.
At face value, the immediate implications of Brexit and the GDPR may not seem that important. After all, The UK will trigger Article 50 on March 29th 2017, and begin the process of leaving the EU. It’s unclear what rules and regulations will be kept when that process is complete.
However, when it comes to the GDPR, it pays to prepare in advance. The GDPR comes into force on 25th May 2018. Even taking the most ambitious timelines into account, the Brexit process is likely to take until at least 2019 to negotiate. This means that the UK will still be a member of the EU when the regulation is rolled out. Subsequently, all UK enterprise will have to adhere to it.
Post-Brexit, the terms negotiated between the UK and the EU will inevitably affect the extent to which the UK continues to comply with EU laws. However, the GDPR will apply to anyone processing EU citizens’ data, regardless of EU membership or geographical location. Therefore, by implication, this will include a significant number of UK organisations.
There’s less than 18 months before the regulation is rolled out across the EU. Accordingly, the ICO advises that it is time to move past the initial awareness stage and start preparing your company. The GDPR widens the definition of personal data. It also tightens the rules for obtaining valid consent to use of that data. This means that even if your company currently complies with existing Data Security laws, you may risk non-compliance with the GDPR.
For example, the GDPR is widening the definition of personal data. From 25th May 2018, any data that can identify an individual is classed as personal data, and therefore permission for use is required. For the first time, this includes genetic, mental, cultural, economic or social information. Any company storing or processing this data without valid permission is at risk.
Importantly, the burden of proof lies with you, the enterprise. The GDPR requires that all organisations are able to prove clear and affirmative consent to process the data they hold. And as proof of permission will be applied to existing customer and client data it’s important to make sure they know, and approve of, the way you use their data.
Going forward, this affirmative consent will be a requirement for any company that processes the data of EU citizens. This means, that even after Brexit, companies wishing to do business with countries inside the EU must comply with the GDPR. The ICO has made it crystal clear that Brexit will not exempt UK businesses from these regulations when dealing with EU data.
Currently, 50% of organisations feel that they will not be able to fulfil the requirements set out by the GDPR. It’s hard to tell if this lack of preparedness is down to the hope that Brexit and the GDPR would cancel each other out. With Brexit providing a convenient excuse to halt the application of the new processes required by the 260 page GDPR document, perhaps. Or whether there has simply been a lack of general awareness and information on what the regulation means for enterprise.
Whatever the case, companies who fail to prepare for the implementation of the GDPR are at risk. Organisations in breach of the GDPR can face fines of up to €20,000,000, or 4% of global annual turnover.
So, the next question is, how can you prepare for Brexit and the GDPR? The first step is to conduct a GDPR readiness assessment. This will show how aligned your current policies and procedures align with the new regulation. A readiness assessment provides a clear understanding and visibility of an organisation’s current level of compliance. It will provide recommendations for change, and identify any high impact risk areas to address in the short term.
Our GDPR readiness work packages offer organisations the chance to see how prepared they are for the implementation of the new data protection regulations.