GDPR 18 months on: How will Brexit affect it?

Tuesday October 15, 2019 4:26pm by Tim Stevens

In May 2018, the way businesses handle and process personal and sensitive data was overhauled with new Europe-wide General Data Protection Regulation (GDPR) rules. And the continent now has the world’s strictest data protection laws.

In the UK, the Information Commissioner’s Office (ICO), which can conduct criminal investigations and issue fines, enforces GDPR.

What is it?

GDPR modernised outdated laws while protecting individuals’ personal information, giving them more control over it and harmonising data privacy law across Europe.

A new fines regime of up to €20m (£18m) for the most serious breaches, or 4% of global turnover if greater, replaced the previous maximum penalty of £500,000.

Under GDPR, companies with 250 or more employees must:

  • Document why they’re collecting and processing people’s information
  • Describe what’s being kept and how long for
  • Outline the technical security measures in place
  • Delete information when it’s no longer needed for the purpose it was gathered for

In some situations, businesses must obtain consent before processing data, and there must be a ‘positive opt-in’. Equally, under a Subject Access Request (SAR), an individual can ask to see their data, free of charge.

Have any companies been fined so far?

Yes. British Airways and the Marriott hotel chain were among the first.

Marriott was slapped with a proposed fine of nearly £100m, following a hack of records of millions of guests. BA received a notice of a fine of £183m, 1.5% of its global annual turnover,following a similar hack.

In both cases, appeals are ongoing.

Of the 206,326 cases reported under the GDPR across the European Economic Area’s (EEA’s) 31 countries, national data protection agencies have resolved just 52% of them. Among other fines to have been issued is €50m penalty for Google from French regulator CNIL in early 2019.

So no non-compliant organisation can afford complacency. Data protection processes require regular review, so that all measures are in place to minimise threats to security.

One survey from July 2019 revealed that almost a third of European businesses are still not fully GDPR-compliant. Yet general awareness of data protection is rising, thanks to increasingly publicised breaches. And the potential reputational damage is as problematic as the financial penalties.

What happens after Brexit?

Passed in 2018, the UK’s Data Protection Act incorporates most of the provisions of the GDPR. So businesses should not have to change policies.

However, if you move data between the UK and the European Economic Area, there could be changes, depending on how the UK leaves the EU, particularly in a ‘no deal’ situation.

If that happens, organisations will need to work with their counterparts overseas to assess whether alternative legal arrangements are needed.

The GDPR limits movement of personal data to non-EEA nations. If personal data is transferred to ‘third countries’, which is what Britain would become under no deal, it must be protected by appropriate safeguards. So the government would need to take steps to allow the free flow of personal data to the EEA.

What we do

At i-4business, our technology company prospect data is GDPR-compliant, and we supply only permissioned information.

We offer a free trial and access to our specialist EMEA database so that you can evaluate our service for yourself. You can look forward to unlimited access and a transparent view of our systems 14 days.

To book your free trial, please get in touch with one of the i-4business team today.