We're 2 months away from the self-imposed deadline to trigger Article 50 by the British Prime Minister Theresa May, and we still see unrest amongst the country regarding its certainty. What does Brexit mean for your business, and its data processing? This article discusses the future under the European General Data Protection Regulations that all EU countries have to abide by, which includes all of UK businesses until the exiting of UK is complete. How can you take action against possible breaches and avoid the €2,000,000 fine?
On 23 June 2016, Britain watched as the Brexit vote divided the nation in half with 48% bremainers being narrowly beaten. In the following weeks chaos and further political reorganization spread around the country with many speculating on UK post Brexit. Despite the Article 50 not yet triggered, Prime Minister Theresa May declared the intent to trigger it by March 2017.
Among many talks of politics, trade relations, immigration and citizenship, one of the topics discussed was the implementation of General Data Protection Regulations, also known as GDPR, to replace the existing Data Protection Act 1998. While our current practices are dependant upon organisations taking responsibility to ensure compliance or risk a fine of up to £500,000; its replacement could be seen potentially issuing fines of up to €20,000,000. It also requires the businesses to implement stronger processes around data protection by employing a dedicated data protection officer, requiring the organisations to keep a log of ALL data protection breaches and brags the right to name and shame offenders.
Brexit and Businesses
For businesses, Brexit raised many questions on the economic affairs of the country and its relations with EU. When the road to implementing General Data Protection Regulations (GDPR), which had been introduced in April 2016 and expected all UK businesses to comply with by April 2018. Now, a proportion of the businesses may have let out a collective sigh as they thought (mistakenly) that the bright side of Brexit was the exit of GDPR; which had included stricter guidelines on data protection that our current Data Protection Act and introduced more power to the common man (also known as data subject) and severe punishment to all businesses (up to 4% of Annual global turnover or €20 million- whichever was higher in each case). Stricter auditing and the far-reaching influence of GDPR meant that businesses had to change their current working model and spend resources to ensure compliance.
Little did they realise, that roughly 40% of UK businesses have professional relationships with, and thus hold data of European ‘data subjects’. GDPR requires anyone who holds the data of EU citizens to comply with it regardless of where they’re based geographically. Add to this the fact that the earliest Brexit would’ve been completed is by May 2018 which, as mentioned earlier, meant there would’ve been at least a month of compliance requirement with GDPR.
This is all before the judges famously ruled for a parliamentary vote needing to decide the trigger of Article 50 regardless of what the nation voted for, not 72 hours ago. This not only pushes that expected Brexit date further into the future, it puts the whole concept of Brexit into jeopardy, considering the post-brexit revelations from the Brexit campaigners.
What does this mean for you?
This means there is less than 18 months before the GDPR comes into effect in the UK. In fact, you can access the countdown to GDPR here. While it is tempting to probably wait it out, we strongly urge you to think about how you can ensure compliance with the GDPR. It would only take one disgruntled EU citizen to report your business to the GDPR regulators over compliance, and what would ensue is weeks of audit, report releases and potential fine of €20 million.
Is it worth the risk?
The need for Action
It is highly recommended that action is taken to ensure compliance with GDPR in areas especially around where the data is used, how it is used, and how the individuals are notified of the information that is kept in the systems.
While the 8 Principles of Data Protection may still carry over to GDPR regulations, the key changes include the addition of data protection officers, who are required to keep a log of all data protection breaches (regardless of whether it was reported or self-identified). The data subject, or your consumer, has the right to see everything you have on them, and can transmit their data to a different organisation if they like. The GDPR also calls for organisations to hold ONLY the data that they have the need to hold, and no additional ‘potentially useful’ data. Consent have been strengthened and penalties even more so. The only thing left is for organisations to prepare for the change.