BREXIT, GDPR & YOUR BUSINESS
Most of us will have heard of the GDPR but a lot of us won’t really understand what it is and why it’s important if we’re leaving the EU, whatever your views on that might be.
As a current EU member, the GDPR will become binding without our parliament doing anything about it, so it’s going to be law while we’re still in the EU and we may want to encourage compliance with it after leaving as a way of ensuring that our trading partners know that we’re up to scratch.
What IS GDPR?
GDPR is the General Data Protection Regulation and it comes into force in the EU on 25 May 2018
Following the referendum, the UK’s Data Protection Minister published a statement that made it clear that if the UK were to remain within the Single Market, then the EU rules on personal data would probably survive, but if we did not then all EU rules were likely to be replaced.
This emphasises the government’s view on the importance of consistency beyond national borders aligning with the Information Commissioner’s role and responsibilities, this being particularly important for international businesses.
Of particular note for any business that operates across borders, the Minister was very clear that any such business would continue to need to prove that it could provide an adequate level of data protection. This is an ongoing theme in the Brexit negotiations.
A little history lesson
In February 2017, at an EU Home Affairs Sub-Committee meeting, the Minister of State for Digital and Culture, Matthew Hancock MP reiterated that the UK will implement the GDPR to secure unimpeded data flows between the UK and the EU, particularly to underpin free trade. Although further details were not provided at the time, Mr Hancock said parts of the Data Protection Act 1998 would be deleted (“repealed”) to ensure that there was no duplication or inconsistencies with the GDPR.
On 21 June 2017, the Queen announced the Data Protection Bill to deal with the upcoming changes. On 24 August 2017, our government published a position paper on the exchange and protection of personal data post-Brexit in which it says that it wants to explore a unique and ambitious UK-EU model for exchanging and protecting personal data post-Brexit which builds on the existing adequacy model.
On 13 September 2017, the Data Protection Bill had a first reading in the House of Lords. A second reading and debate followed as the Bill progresses through the Lords, the second reading was in October and the Information Commissioner produced a briefing in December.
The Bill, once it has received Royal Assent, will replace the Data Protection Act 1998, bring our data protection regime in line with the GDPR and actually go even further than the GDPR. The government’s intention is to finalise the Bill before 25 May 2018 i.e. the implementation date of the GDPR.
What does GDPR mean for you and your business?
It might be difficult to get discussions off the ground on this one, with the view that either “it doesn’t really affect us” or that “Brexit will mean we don’t need to comply” and anything in between. However, it’s clear that even if we leave the EU, and even if we leave the Single Market, the government is going to ensure that the obligations within the GDPR will apply to us.
Couple with this with a huge increase in the fines available to the Information Commissioner to mete out on those who fail to comply – up to 4% of global turnover or EUR 20 million – it starts to look a bit more serious.
And a final note here, beware if you transfer data to the US. You will know that the European Court of Justice decided that the EU-US “safe harbour” deal was inadequate and a replacement was agreed, the EU-US “Privacy Shield”. However, there is much pressure to review this given the backdrop of the GDPR and it is likely to be looked at again shortly after the GDPR is implemented so keep your eyes peeled.
You might want to consider, for instance, making sure that your website, email marketing suite and CRM are hosted in the UK or EU and therefore under the same legislation that you have to comply with.
So is the GDPR good news or bad news for businesses?
Part of any shift like this is that many businesses will see it as an opportunity to sell you something that you may well be able to take care of yourself. There are probably as many people selling their auto-enrolment services as there are businesses, it looks like the GDPR bandwagon is similarly crammed full.
The onus is on you to understand the GDPR, your current practices and, if you spot a gap or need help, identify a reputable and effective practitioner.
I always think that it’s possible to turn something that looks like a headache into an asset for your business.
Consumers are aware of their rights and have higher expectations of businesses than ever. If you are up to date, up to scratch and transparent in your terms and conditions and your processes, you will be using compliance as a marketable asset.
Compliance will also mean a potentially more fruitful and longstanding relationship with trading partners beyond our borders, you will be seen to be a “safe pair of hands”.
So why not use this as an opportunity to review what you’re doing with the data within your business and make sure that it is not only being used in accordance with everybody’s rights but also that it is working for your business rather than sitting around clogging up your systems and providing fertile soil for complaints.