What are my 2021 GDPR responsibilities after Brexit?
What is happening to UK GDPR after Brexit? What will be my GDPR responsibilities now the UK has left the EU? We explore the General data protection regulations post Brexit.
Author: Jake Knight
Date: Tuesday 4 May 2021, UK
GDPR after Brexit
Yes, GDPR is an EU regulation, which means that when the UK leaves the European Union it should no longer apply. However, the UK still has its own applicable law, the Data Protection Law, and according the Information Commissioner’s Office – the UK watchdog which works to uphold information rights – the government plans to fold the General Data Protection Regulation into our existing act after Brexit.
So, it is unlikely that there will be many changes to the data protection obligations we currently abide by and the UK will still have GDPR after Brexit.
Remind me what are my GDPR responsibilities again:
So what are my GDPR responsibilities again? The data at risk can be used to identify a living person and includes names, addresses, phone numbers, payment information, email addresses, National Insurance numbers and much more.
Most companies will hold data about their employees, customers or clients and it’s your responsibility to protect it. Any vulnerability within your IT infrastructure or personnel systems can lead to the data you hold and process being lost or exposed, and that is illegal.
Will we still have to pay for data breaches after Brexit?
Yes, you will still have to pay for any data breaches after Brexit. The ICO still has the power to fine any company who misuses personal data or is responsible for a data breach. The fines however, may not be as a large as those under GDPR, but if you are in breach of GDPR then the full amount – up to 20million Euros or 4% of annual turnover – could still apply.
The ICO can also issue a ban on data processing or suspend a company’s ability to transfer data to another country, which could damage your business.
What if my business plans to work with European companies after Brexit?
If any part of your business has transactions with EU companies or processes data of EU citizens, you will still be governed by GDPR as all EU citizens are protected by the regulations.
And if you have signed any Standard Contractual Clauses (SSCs) that protects data leaving any country in the European Economic Area, not just the EU, then these will still apply.
What changes should I make?
The rules around data protection have been created to protect us all and should still be adhered to. If you’re already GDPR compliant you shouldn’t have to make any changes, although it might be a good idea to review your current contracts and SSCs and take some time to ensure your business is still operating appropriately, for example:
- Continue to properly process personal data after Brexit
- You still need permission to contact customers
- Anyone has to right to access the data you hold about them and request for it to be deleted
- Only gather the information that you actually need
If you’re unsure about your company’s GDPR processes, there are checklists that can be downloaded from the ICO or you could book a GDPR Health Check. As part of the Cyber Protect package offered by Focus Group, we provide a comprehensive report based on the findings of our specialist data software that has been designed to uncover any GDPR related network issues and potential breaches.
Our data protection officer will provide you with a consolidated report outlining your potential financial liability if you were to be inspected by the ICO.