UK businesses will have to continue adhering to strict data protection laws – even when Brexit finally goes ahead.
The current 1995 EU Data Protection Directive harmonised the many national laws on data protection across the various member states.
The laws are about to be strengthened further when the EU’s General Data Protection Regulation (GDPR) comes into force in 2018.
If an organisation finds itself in breach of the GDPR, the level of fine will be up to 20 million euros or up to 4% of the total worldwide annual turnover of such organisation, whichever is higher.
Brexit will cause a period of regulatory uncertainty in the area of data protection as with many others.
Businesses operating solely in the UK with UK customers, and storing data only in the UK, might think they are unlikely to have to implement significant changes in their data protection processes. However, this is unlikely to be correct because:
- All organisations will need to comply with existing EU legislation until the UK exits the union. It is not certain when this will happen.
- The Information Commissioner’s Office (ICO) has said it intends to call on the Government to reform UK law on data protection in order to achieve equivalent standards to the EU’s.
- The GDPR is seen by many UK businesses as merely setting out what is now regarded as good practice in the area of data security and management.
The ICO has said that although the forthcoming reforms to EU data protection laws would not apply directly to the UK if it was not a member of the union, UK data protection standards would nevertheless have to be “equivalent” to the EU’s GDPR if the UK wanted to trade with the single market. The ICO has said it intends to call on the Government to reform UK law on data protection, which currently comes under the Data Protection Act. How similar these rules will be after Brexit is simply unknown at this point because the finer details will be part of the negotiation process between the EU and the UK in the coming years.
The key point for UK businesses is that the GDPR is still going to affect UK businesses offering any type of service to the EU market, regardless of whether your business stores or processes data on EU soil, and whether the UK is in the EU or not.
Your business needs to understand that what triggers the applicability of the GDPR is whether the data it handles is about EU individuals or has the potential to identify individuals that find themselves in the EU – not about whether your business is in the EU.
The obligations imposed on business by the GDPR include an obligation to:
- Perform data erasure in response to individuals’ exercise of their “right to be forgotten”.
- Ensure that any personal data your business holds has been collected after obtaining consent that was explicit, rather than implied.
- Allow individuals to see their own data, to release a copy of any data your business holds about them in a commonly readable format, so they can transfer personal data from one service provider to another.
- Notify the relevant data protection authorities of any data breaches within 72 hours – in the UK it’s the ICO.
The free flow of data between the UK and the EU will likely require the UK to joint EFTA (European Free Trade Association) or be confirmed as “adequate” by the European Commission i.e. provides an equivalent level of data protection to the EU.
The Commission would, of course, need to consider the robustness of the data protection law regime in the UK before making such a decision.
The latest statement from the ICO is:
“The Data Protection Act remains the law of the land irrespective of the referendum result… If the UK is not part of the EU, then upcoming EU reforms to data protection law would not directly apply to the UK. But if the UK wants to trade with the Single Market on equal terms we would have to prove ‘adequacy’ – in other words UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation framework starting in 2018.”
Whichever route the UK takes, your business should carry out a gap analysis of its current data practises and procedures.
It should consider taking the following steps:
- Implement policies and procedures to deal quickly with breaches of data protection.
- Ensure that existing policies meet the accountability standards prescribed by the GDPR.
- Conduct a review of what data processing your business undertakes and decide if it is it necessary to have all the information which your business currently holds about customers for example?
- Conduct a review of what legal basis your business relies upon to justify the use of personal data it obtains both in respect of customers and employees. For example, if your business relies upon the consent principle does its current consent procedure comply with the GDPR’s requirement for such data to be ‘freely given, specific, informed and unambiguous shown either by a statement or a clear affirmative action which signifies agreement to the processing’.
- Consider carrying out a review of any contractual documentation that your business has with any third parties if it outsources any of its data processing.
- Conduct a review of your business’s technology systems in order to check whether its systems can transfer individuals’ data to others and that its security systems are robust enough to prevent disclosure of third party data to unauthorised recipients.
Blog by John Lambe, Partner and Head of Dispute Resolution at Hillyer McKeown