As far as the Data Protection Landscape is concerned, Brexit couldn’t have come at a more challenging time – some might say fortuitous time. In this article, I will examine all the implications and deal with some of the arising issues.
Earlier this year, the EU regulators adopted a new EU data protection framework, which will come into force in all EU countries on 25 May 2018.
It takes the form of a Regulation, which means it is binding on all member states, without the need for national legislation. The new General Data Protection Regulation (GDPR) replaces the current Directive and it places many new and heavy obligations on those affected. In order to comply, all relevant organisations within the EU will need to invest considerably, in terms of time and money.
General Data Protection Regulations: Impact On Business
Before we look at the likely impact of Brexit on these new rules, let us take a brief look at what is involved here.
- Data Processors outside the EU – The new GDPR includes all data controllers and processors that are located outside the EU, if some (or all), of their processing activities are directed at data subjects within the EU. Under current legislation, this is not the case. Under the new rules, many external organisations will be required to appoint a representative in the EU.
- Expanded Role for Data Processors – The new rules impose onerous obligations and responsibilities on data controllers. These include:
- Carrying out a risk assessment on processing procedures. Controllers must implement new procedures, identify high-risk operations and consider the potential risks. They must put into place appropriate systems to minimise these risks. There are significant fines for getting this wrong.
- Implementing data protection by design and by default – Ensure that privacy for data subjects is properly protected.
- Keeping a detailed written record of processing activities carried out by each controller.
- Appointing a Data Protection Officer, (DPO) if the processing is carried out by a public authority, or is considered to be on a ‘large scale’.
- Appointing an EU representative if the organisation is not established in the EU.
- Notifying any data breach to the Data Protection Authority (DPA) within 72 hours. In most circumstances the breach should also be notified to affected subjects without undue delay.
- Providing information to data subjects at the same time as the data is obtained. Existing procedures that provide for “fair processing notice” will need to be checked, as the new requirements in the GDPR are much more detailed and demanding.
- Obtaining the consent to the processing of a subject’s personal data. Consent must be as simple to withdraw it as it was to give in the first place. Explicit consent must be obtained for the processing of sensitive data. Existing consents will only apply if they comply with the new conditions.
- Fines (Penalties) – A tiered penalty system has been established, ranging from fines of 2% of worldwide turnover plus €10m for each breach, up to 4% – 5% of turnover and €20m for each breach.
- New European Data Protection Board – An independent EDPB will be set up to replace the existing ‘Working Party’. Its obligations will include providing opinions and guidance, and ensure the consistent application of the GDPR.
- Binding Corporate Rules – BCR’s must be legally binding on every member of the group of undertakings/enterprises, inside or outside the EU, including their employees.
- International Transfers of Data – The issues of a ‘Safe Harbour’ have not yet been fully resolved, but the new regulations include many new requirements, such as whether data subjects have been properly informed of the risks of transfer.
- Data Subjects’ Rights – The new regulations considerably reinforce individuals’ rights as can be seen from the foregoing. It includes the right to have access to subjects’ data, the right to restrict or object, the right to receive back their data in a commonly used format, and the right to erasure and to “be forgotten” – all of these without undue delay
How Will Brexit And GDPR Affect Organisations Within The UK?
The simple answer is that Brexit will probably have little effect on the need to comply with the new GDPR. Most – if not all – organisations doing business internationally should already be taking preliminary steps to comply.
Even before the results of the referendum were known, the UK’s Information Commissioner’s office, (ICO), issued a statement that “the UK will continue to need clear and effective data protection laws, whether or not the country remains part of the EU.”
More recently, the ICO stated:
“The Data Protection Act remains the law of the land irrespective of the referendum result… If the UK is no part of the EU, then upcoming EU reforms to data protection law would not directly apply to the UK. But if the UK wants to trade with the Single Market on equal terms we would have to prove ‘adequacy’ – in other words UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation framework starting in 2018.”
Much will depend on the negotiations that precede Brexit. But whatever is finally agreed, the fact remains that in all likelihood, the UK will still be an EU member in May 2018, when the new Regulation comes into effect. This means that UK companies should take steps to comply – or risk massive fines.
So the ICO statement and the likelihood of fines for non-compliance are two good reasons why UK should take the GDPR seriously.
But there is more.
As the ICO states, if companies in the UK wish to continue to trade with the EU, they really will have little choice but to comply.
What are the benefits and/or alternatives to non-compliance with GDPR?
‘DP Haven’? – Some have talked about creating a ‘data protection haven’, similar to a tax haven, to attract business to the UK. But it is difficult to see how the UK could get away with implementing privacy laws that are not substantially similar to the GDPR. The EU already has regulations regarding the transfer of data from the EU to other countries, and they are currently engaged in a protracted dispute with the USA over the issue of US data flows. This can only become more protracted under the new Regulation.
‘DP Light’? – Others have talked about the UK reviewing all its data laws on data protection and that the UK should move to a much ‘lighter regime’. We would then need to convince the EU that our new, alternative regulations are acceptable.
But if the UK tried to avoid some of the more onerous provisions of GDPR, it is highly unlikely that the UK could win their agreement. The UK and the Commission have a long history of disagreements concerning the implementation of data protection laws to the standards required by Europe.
The recent invalidation of ‘Safe Harbour’, following the decision handed down by the Court of Justice of the European Union (CJEU), clearly indicates the likely approach of the Commission. If it has to make an assessment of the UK’s post-Brexit new data protection regime, the plain truth is that the UK is already pushing at the limits of what is permissible under current EU DP law. It is unlikely to succeed with anything much short of total compliance.
If the UK wants to position itself as a global hub for international business, technology, data, science medical research and so on, it will have to be very circumspect in finding the right balance in their post-Brexit DP legislation. They will have to keep the EU happy, as well as being able to deal on an equal footing with the rest of the world.
In view of all this, I reiterate what I stated at the top of this article. Businesses and undertakings in the UK will be well advised to commence initial planning for the introduction of the main provisions of the GDPR, if they have not already, and keep a close watch on events.
Here are some key actions that you should now consider.
- Implement procedures and policies that allow for a quick reaction to data breaches.
- Establish a framework for accountability, and prepare to implement procedures and policies that will ensure that you will meet the required standards, as set out in the Regulation.
- Ensure that privacy is an integral feature of any new processing procedures or new IT products.
- Review the data processing you currently undertake and establish the legal basis upon which you use subjects’ personal data. Do you purely rely on ‘data subject consent’, and if so, can you demonstrate legitimate interest in processing the data which is not overridden by the interests of the data subject?
- Check your privacy notices and policies – they should be transparent and easy to access and understand.
- Review the additional rights of data subjects as set out in the Regulation. Ensure you have a legitimate reason for the storing of personal data, and that these reasons override the interests of data subjects.
- If you provide DP services to third parties, carry out a thorough review of your systems and identify areas that may need enhancing or changing. Assume that customers will expect your systems to be GDPR compliant.
- Review your international data transfers, be they ‘intra-group’, or to third parties. You must ensure there is a legitimate basis for transferring personal data to jurisdictions that are not recognised by the EU as having adequate data protection regulation. This is not a new problem, but under the new GDPR penalty regime, non-compliance could be disastrous.
In summary, there is much to think about and immediate actions need to be taken. These thoughts and actions will have little to do with the Brexit negotiations – as we already know the likely outcome as far as UK’s compliance with GDPR is concerned.