Will the UK still have to comply with GDPR after Brexit?
In short, the answer is yes.
But maybe not in the way you are currently used to.
Yes, GDPR is an EU regulation, which means that when the UK leaves the European Union it should no longer apply. However, the UK still has its own applicable law, the Data Protection Law, and according the Information Commissioner’s Office – the UK watchdog which works to uphold information rights – the government plans to fold the General Data Protection Regulation into our existing act after Brexit.
So, it is unlikely that there will be many changes to the data protection obligations we currently abide by and the UK will still have GDPR post Brexit.
Remind me what my GDPR responsibility is again:
The data at risk can be used to identify a living person and includes names, addresses, phone numbers, payment information, email addresses, National Insurance numbers and much more.
Most companies will hold data about their employees, customers or clients and it’s your responsibility to protect it. Any vulnerability within your IT or personnel systems can lead to the data you hold and process being lost or exposed, and that is illegal.
Will we still have to pay for data breaches after Brexit?
Yes, the ICO still has the power to fine any company who misuses personal data or is responsible for a data breach. The fines however, may not be as a large as those under GDPR, but if you are in breach of GDPR then the full amount – up to 20million Euros or 4% of annual turnover – could still apply.
The ICO can also issue a ban on data processing or suspend a company’s ability to transfer data to another country, which could damage your business.
What if my business plans to work with European companies after Brexit?
If any part of your business has transactions with EU companies or processes data of EU citizens, you will still be governed by GDPR as all EU citizens are protected by the regulations.
And if you have signed any Standard Contractual Clauses (SSCs) that protects data leaving any country in the European Economic Area, not just the EU, then these will still apply.
What changes should I make?
The rules around data protection have been created to protect us all and should still be adhered to. If you’re already GDPR compliant you shouldn’t have to make any changes, although it might be a good idea to review your current contracts and SSCs and take some time to ensure your business is still operating appropriately, for example:
· Continue to properly process personal data after Brexit
· You still need permission to contact customers
· Anyone has to right to access the data you hold about them and request for it to be deleted
· Only gather the information that you actually need
If you’re unsure about your company’s GDPR processes, there are checklists that can be downloaded from the ICO or you could book a GDPR Health Check. As part of the Cyber Protect package offered by Focus Group, we provide a comprehensive report based on the findings of our specialist data software that has been designed to uncover any GDPR related network issues and potential breaches. Our data protection officer will provide you with a consolidated report outlining your potential financial liability if you were to be inspected by the ICO.
Laurence Glen, Head of IT at Focus Group, says:
"GDPR has had a huge and lasting impact on data protection, the way companies process data has changed forever. Even after we withdraw from the European Union it will have an influence over our businesses and so it makes sense to continue to be compliant. But your processes should still be reviewed regularly to ensure you don’t get caught out; fines and sanctions will still bite after Brexit. A GDPR health check is an ideal to way to ensure best practice and absolutely essential for any company that processes large amounts of data."