For some time, there has been confusion about Brexit and the GDPR. But with the deadline for the General Data Protection Regulation (GDPR) getting ever closer, it’s time for enterprises to begin preparing.
At face value, the immediate implications of Brexit and the GDPR may not seem that important. After all, when the UK triggered Article 50 on March 29th 2017, and began the process of leaving the EU, nothing seemed to happen. Adding to the confusion, there is no clear picture of what will replace the current rules and regulations when that process is eventually complete.
However, when it comes to the GDPR, it pays to prepare in advance. One thing is certain: the GDPR comes into force on 25th May 2018. Even taking the most ambitious timelines into account, the Brexit process is likely to take until at least 2019 to negotiate. The eagle-eyed amongst you will have noticed an overlap. The UK will still be a member of the EU when the regulation is rolled out. What does this mean for your organisation? Well, subsequently, all UK enterprise will have to adhere to it.
Post-Brexit, the terms negotiated between the UK and the EU will inevitably affect the way the UK continues to comply with EU laws. However, the GDPR applies to any organisation processing EU citizens’ data, regardless of EU membership or geographical location. Therefore, if your organisation interacts with the EU in any way, you need to be compliant with GDPR.
The GDPR widens the definition of personal data. It also tightens the rules for obtaining valid consent to use of that data. This means that even if your company currently complies with existing Data Security laws, you may risk non-compliance with the GDPR.
As an example, let’s look at the definition of personal data:
From 25th May 2018, the classification of personal data includes anything that can identify an individual. For the first time, this includes genetic, mental, cultural, economic or social information. And you need valid permission to use it. So, if you store or process this data without valid permission your organisation is at risk.
Importantly, the burden of proof lies with you. The GDPR requires that all organisations are able to prove clear and affirmative consent to process the data they hold. Additionally, proof of permission also applies to existing customer and client data. So, it’s important to make sure your existing contacts know and approve of the way you use their information.
Going forward, this affirmative consent will be a requirement for any company that processes the data of EU citizens. This means, that even after Brexit, companies wishing to do business with countries inside the EU must comply with the GDPR. The ICO has made it crystal clear that Brexit will not exempt UK businesses from these regulations when dealing with EU data.
Currently, 50% of organisations feel that they will not be able to fulfil the requirements set out by the GDPR. It’s hard to tell if this lack of preparedness is down to the hope that Brexit and the GDPR would cancel each other out. With Brexit providing a convenient excuse to halt the application of the new processes required by the 260 page GDPR document, perhaps. Or whether there has simply been a lack of general awareness and information on what the regulation means for enterprise.
Whatever the case, companies who fail to prepare for the implementation of the GDPR are at risk. Organisations in breach of the GDPR can face fines of up to €20,000,000, or 4% of global annual turnover.
So, the next question is, how can you prepare for Brexit and the GDPR? The first step is to conduct a GDPR readiness assessment. This will show how aligned your current policies and procedures align with the new regulation. A readiness assessment provides a clear understanding and visibility of an organisation’s current level of compliance. It will provide recommendations for change, and identify any high impact risk areas to address in the short term.
Our GDPR readiness work packages offer organisations the chance to see how prepared they are for the implementation of the new data protection regulations.
This article was originally published on March 20, 2017. It has been updated to reflect recent announcements regarding Brexit and GDPR