Barrister Sam Thomas explains why Brexit will not save non-compliant businesses from fines under the EU’s General Data Protection Regulation (GDPR).
Failure to comply with the EU General Data Protection Regulation (GDPR) could cost your company 4 per cent of total global annual turnover or €20 million (£18 million). On 25th May 2018, the GDPR will come into force in the UK. With the Article 50 process taking two years from its activation in March 2017, there is no escape from GDPR through Brexit.
In fact, the rules of GDPR are so pervasive that regardless as to whether it is a hard or soft Brexit, compliance with GDPR will be necessary for all SMEs that process personal data.
The GDPR is the European Union’s attempt to provide uniform data protection regulation for all European citizens. It is important to note that the provisions of GDPR apply to EU citizens rather than EU countries. Following Brexit, companies that wish to collect, store or use the personal data of EU citizens must comply with the provisions (or a similar UK equivalent which provides adequate protection).
The Data Protection Act 1998 (DPA), the current predominant legislation within this jurisdiction, will likely be amended or replaced to meet the 25th May 2018 deadline, when the UK will still be a member of the EU. Once new legislation is in place, it would be counter-intuitive to weaken the protections imposed, given the UK will wish to continue to trade into Europe even though we are not part of the Union.
So what provisions will be introduced? The GDPR will tighten the need to obtain consent when taking personal information. Opt-out tick boxes are unlikely to be enough. With special categories of information, such as medical or health related data, explicit consent of the individual may be required, and businesses will need to be aware of the measures to be adopted to ensure compliance.
Data protection officers (DPOs) may need to be appointed, but only “where the core activities consist of processing operations which require regular systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions or offences”.
All organisations must be able to notify their monitoring authority (likely to remain the Information Commissioner’s Office within the UK) of a data breach within 72 hours, unless they can show this was not done because it would have resulted in a risk to the rights and freedoms of individuals. Sufficient monitoring must be in place to ensure any breach can be identified, and subsequently reported.
Other changes include allowing the right to access and the right to be forgotten, which is essentially data controllers deleting specified personal information to ensure it is not shared with third parties.
If your company trades exclusively within the UK, has no online presence, and is currently compliant with the DPA, the GDPR may not have too great an impact following some modification to your data management procedures. However, if your company has any focus toward the continent then it is imperative that you begin to consider the GDPR.
If you also collect or use data from other non-EU countries like the USA, Russia or China then you may wish to consider taking specialist legal advice. Compliance with the GDPR may conflict with data protection legislation in other countries. Costs, such as multiple servers with one within each jurisdiction, may or may not be required.
Think ahead and take advice to avoid unnecessary costs.
Sam Thomas of Cyber Counsel is a barrister at 2 Bedford Row Chambers.