Will the UK still have to comply with the GDPR after Brexit?
The ICO (Information Commissioner’s Office) has released its annual report, which has revealed an “unprecedented” year. It received 41,661 data protection complaints in 2018/19, up from 21,019 in 2017/18.
Big fines have hit the headlines since last May, as you’d expect; namely the €50 million fine imposed on Google by a French regulator for not complying with the rules when it comes to using personal data in tailored online advertising.
Recently, the ICO announced its intention to fine Marriott International over £99 million for GDPR infringements, after a security breach which exposed around 339 million guest records across the globe.
Although these fines make for worrying reading, the data protection authorities have been careful on the whole not to be too heavy-handed, and are sympathetic to the GDPR administrative burden (by which small to medium enterprises with limited cashflow and resources are likely to be worst hit)
We expect that the enforcement activity will continue to gather pace as the settling-in period passes. With this in mind, it’s not too late to take stock and do an audit on your GDPR compliance processes, such as reviewing your policies and supplier contracts, and how your policies are working in practice. You should regularly conduct refresher training for staff who are involved in handling personal data or ask specialists to come and do this for you – we’ve been asked by many clients to come to their organisation and deliver inhouse training.
Brexit and GDPR – will UK businesses still need to comply?
Yes. After the anticipated Brexit date, things are likely to get more complicated for UK companies doing business in Europe. Since we’ll no longer be part of the EU, a UK company may find itself subject to both the GDPR and the parallel Applied GDPR regime, so will have to answer to not only the ICO, but also one or more EU Regulators.
There will be new rules to comply with when it comes to transferring data out of the EU, which will require existing contracts to be audited for compliance. In the event of a no deal Brexit and, in the absence of an adequacy ruling, for most companies, any transfer of personal data from the EU to the UK within the current legal framework, will need to be managed contractually through the use of model EU clauses.
How else may my business be affected?
You may also be required to nominate an Article 27 representative within the EU to act as an interface between your company and your EU data subjects, or relevant EU supervisory authority.
As well as reviewing the contractual side of things, you will need to update your online privacy notice to inform customers of the steps which you have taken to ensure the compliant transfer of personal data between the UK and the EU, and to inform EU data subjects of the identity of of your Article 27 Representative.
Along with our sister company, Willans Data Protection Services, we can help you with these issues.
Businesses should remember that that this whole ongoing exercise isn’t just about avoiding fines or adverse PR. The main objective is a worthy one – respecting privacy of data subjects, handling their data responsibly and keeping it safe. If these principles are ingrained in the way your organisation operates, you are on the right track.
As always, if you need commercial and pragmatic legal advice concerning data protection and GDPR, we’re here to help so please get in touch.