Cutting through the confusion: GDPR and Brexit

For some time there has been a looming date in the data protection calendar – 25th May 2018. That’s when the GDPR (General Data Protection Regulation) is set to come into force. Organisations across Europe will then be required to comply with tougher rules to prove they actively protect and more explicitly ask to collect personal data. But, for how long?

Thanks to the Brexit vote on June 23rd there’s now a climate of uncertainty over EU regulation compliance and what will happen after the UK leaves the EU. What’s more, 44% of IT professionals in a recent poll indicated they were unaware or only vaguely aware of the new GDPR rules.

So what happens now? The Deputy Information Commissioner Steve Wood says that UK businesses are “caught in a confusing place, between looming EU regulation and Brexit.”

We discuss some of the assumptions, the possible timings and attempt to cut through the confusion caused by Brexit.

The key points of GDPR

The GDPR is set to apply to all UK organisations offering any type of service to the EU market. It will oblige organisations to fulfil a range of rights applicable to EU individuals and the data they hold on them.

The new legislation also carries huge fines for not reporting or remedying a breach and will be far tougher than the current UK Data Protection Act 1998.

Here is a quick review of the main features:

The right to be forgotten: Probably the most controversial aspect of the GDPR, individuals will have the right to withdraw their consent to the storage or use of their personal data and to request their data be deleted. For most organisations that handle customer data, this effectively means the right to have it erased.

A particular headache is that it could apply to data collected back in the data subject’s childhood. If this data is now stored elsewhere then it will still need to be erased.

Consent to holding data must be explicit, not implied: No more confusing ‘I agree’ tick-boxes with reams of digital small print or services where access is only granted once data has been given. The data must be given freely, rather than under duress. It must also be requested in clear and plain language and asked for in a recognisably ‘standalone’ format.

Individuals’ rights to their own data: Everyone will be entitled to see their own data – so the organisation must release a copy of any data it holds about them, in a commonly readable format, so that they can exercise the right to data portability – meaning they can transfer personal data from one service provider to another.

The time to report data breaches: A Data Protection Officer (DPO) will be responsible for reporting to the Information Commissioner’s Office on breaches and any affected individuals – within 72 hours. If only breaches were that easy to detect…

Fines: An organisation that breaches the GDPR may be fined up to 4% of its global turnover. Note global, not just the country where the breach took place.

Post Brexit: GDPR assumptions and scenarios

Elizabeth Denham, the UK’s new Information Commissioner, recently told BBC Radio 4 that: “The UK is going to want to continue to do business with Europe. In order for British businesses to share information and provide services for EU consumers, the law has to be equivalent.” The message was that the EU’s GDPR will still apply to the UK post-Brexit.

So, if, “Brexit means Brexit” then “GDPR would appear to mean GDPR”. However, in uncertain times confusion and lack of awareness reigns – not everyone has the same opinion. We’ve created some potential points of view and given our interpretation.

‘We’re a British company, we don’t have operations in Europe and all our data is stored on servers in the UK. Brexit will mean that the GDPR won’t apply to us.’

Wrong. It’s about who the data is about, not where it’s held. If your data is about EU individuals, not storing data on EU soil won’t make you exempt.

‘The UK Government is dragging its feet over invoking Article 50 and it’ll take two years before we leave the EU after that. We are already behind on getting ready for GDPR – let’s wait and see what happens.’

That might be the case, the UK might not leave the UK until sometime in 2019. That’s precisely why you still need to prepare for GDPR. It doesn’t need to be implemented in local law – it will become effective immediately – and that still means May 2018 when the UK will, almost certainly, still be a member of the EU. So, there will be a period of a year or so when the full directive applies to the UK. Some legal experts think that it’s the organisations that have yet to prepare for GDPR (and are hoping Brexit means they don’t have to) that are the ones likely to be caught out.

‘’So we’ll be subject to GDPR for a year. Surely the UK won’t come up with something so stringent when we leave the EU?’

The UK still needs to be a strong trading partner with the EU when we leave. It won’t help our case if we step back from legislation and standards that offer higher protection in Europe. It is therefore likely that compliance officers may adhere to EU standards anyway as a matter of business policy.  Aspects of GDPR may remain relevant to UK business even if it doesn’t legally apply after Brexit. And don’t forget ‘The Great Repeal Bill’ – that’s going to bind EU laws into UK law from the date of the UK’s departure, so GDPR (or something very similar) is probably going to stay.

‘The more we look at GDPR, it seems there is a lot of work involved but that’s nothing compared to the potential fines for non-compliance. As much as it annoys us, we are concerned about the risk of doing nothing.’

That is a fair assessment. UK business is caught in a legal grey area. As with many issues arising from Brexit, we don’t know the final outcome. What we can say is that non- compliance is a calculated risk and a high one at that. And, if you want to continue to do business with Europe and share information, the law has to be equivalent.

‘OK. We’re convinced. How do we get ready to comply with GDPR?’

Our own perspective is that companies should respond as if GDPR was going to be UK law and prepare for it appropriately.  As explained above it is quite likely that it will be UK law, at least for a time. After that, the UK will either need to, or will want to, demonstrate compliance as part of best practice in data protection. The bottom line is that the GDPR requirements need to be understood and acted upon and we advise all companies to at least carry out a discovery exercise of their business to see what the impacts of the changes could be on them.

The Information Commissioner’s Office has produced a helpful guide to preparing for the General Data Protection Regulation (GDPR);  you may benefit from downloading it and following their 12-step checklist. As part of this you may need to conduct an information audit and review aspects of your current privacy and data protection policies – as well as your procedures for handling any data breach. Should you need any additional guidance through any of these issues – Blue Saffron  is here to help.