Brexit and the GDPR: What Your Organisation Needs to Know

March 20th, 2017    ,

Brexit and the GDPR : What Your Organisation needs to know

For some time, there has been confusion about Brexit and the GDPR.  But with less than 500 days remaining before the General Data Protection Regulation (GDPR) comes into force, it’s time for enterprises to begin preparing.

Brexit and the GDPR: Timing is everything

At face value, the immediate implications of Brexit and the GDPR may not seem that important. After all,  The UK will trigger Article 50 on March 29th 2017, and begin the process of leaving the EU. It’s unclear what rules and regulations will be kept when that process is complete.

However, when it comes to the GDPR, it pays to prepare in advance. The GDPR comes into force on 25th May 2018. Even taking the most ambitious timelines into account, the Brexit process is likely to take until at least 2019 to negotiate. This means that the UK will still be a member of the EU when the regulation is rolled out. Subsequently, all UK enterprise will have to adhere to it.

Post-Brexit, the terms negotiated between the UK and the EU will inevitably affect the extent to which the UK continues to comply with EU laws. However, the GDPR will apply to anyone processing EU citizens’ data, regardless of EU membership or geographical location. Therefore, by implication, this will include a significant number of UK organisations.

What Next

There’s less than 18 months before the regulation is rolled out across the EU. Accordingly, the ICO advises that it is time to move past the initial awareness stage and start preparing your company. The GDPR widens the definition of personal data. It also tightens the rules for obtaining valid consent to use of that data. This means that even if your company currently complies with existing Data Security laws, you may risk non-compliance with the GDPR.

For example, the GDPR is widening the definition of personal data. From 25th May 2018, any data that can identify an individual is classed as personal data, and therefore permission for use is required. For the first time, this includes genetic, mental, cultural, economic or social information. Any company storing or processing this data without valid permission is at risk.

Importantly, the burden of proof lies with you, the enterprise. The GDPR requires that all organisations are able to prove clear and affirmative consent to process the data they hold. And as proof of permission will be applied to existing customer and client data it’s important to make sure they know, and approve of, the way you use their data.

Going forward, this affirmative consent will be a requirement for any company that processes the data of EU citizens. This means, that even after Brexit, companies wishing to do business with countries inside the EU must comply with the GDPR. The ICO has made it crystal clear that Brexit will not exempt UK businesses from these regulations when dealing with EU data.

Brexit and the GDPR

Some Key Changes to Data Privacy

  • Right to Be Forgotten:  Also known as ‘Right to Erasure’. This means that Customers can request your company to delete all personal data held on them. However, the right to erasure does not provide an absolute ‘right to be forgotten’. Instead there are certain circumstance where customers or individuals have a right to have personal data erased and to prevent processing in specific circumstances. These include: when the individual withdraws consent, where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed, or the personal data was unlawfully processed (i.e. otherwise in breach of the GDPR).
  • Transferral of Data: Potentially important when considering Brexit and the GDPR are the new regulations regarding the transferral of data. The GDPR will impose restrictions on the transfer of personal data. Restrictions will also apply to data stored outside the European Union and to third-party countries or international organisations. This will ensure that the level of protection of individuals afforded by the GDPR is not undermined. Transfers may be made where the Commission has decided that a third country, a territory or one or more specific sectors in the third country, or an international organisation ensures an adequate level of protection. This also applies to any offices your company has outside of the EU. So it’s important to make sure processes and systems are compliant in advance.
  • Accountability Principle: The new accountability principle in Article 5(2) requires you to demonstrate that you comply with the principles. It states explicitly that this is your responsibility. To demonstrate you comply you must: implement internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies. Additionally, where appropriate, you should appoint a data protection officer.
  • Data Breach Notification: Going forward companies will have 72 hours to report a data breach to regulators. This deadline begins from the moment you become aware of a data breach and will, possibly, involve making a public declaration. You have to notify the relevant supervisory authority of a breach. And only where it is likely to result in a risk to the rights and freedoms of individuals. This has to be assessed on a case by case basis. For example, you will need to notify the relevant supervisory authority about a loss of customer details where the breach leaves individuals open to identity theft.

Fail to prepare, prepare to fail

Currently, 50% of organisations feel that they will not be able to fulfil the requirements set out by the GDPR. It’s hard to tell if this lack of preparedness is down to the hope that Brexit and the GDPR would cancel each other out. With Brexit providing a convenient excuse to halt the application of the new processes required by the 260 page GDPR document, perhaps. Or whether there has simply been a lack of general awareness and information on what the regulation means for enterprise.

Whatever the case, companies who fail to prepare for the implementation of the GDPR are at risk. Organisations in breach of the GDPR can face fines of up to €20,000,000, or 4% of global annual turnover.

So, How You Can Prepare?

So, the next question is, how can you prepare for Brexit and the GDPR? The first step is to conduct a GDPR readiness assessment. This will show how aligned your current policies and procedures align with the new regulation. A readiness assessment provides a clear understanding and visibility of an organisation’s current level of compliance. It will provide recommendations for change, and identify any high impact risk areas to address in the short term.

Our GDPR readiness work packages offer organisations the chance to see how prepared they are for the implementation of the new data protection regulations.

Brexit and the GDPR