Brexit & GDPR: How will UK businesses be affected?

First published September 2016

Unfortunately for some, this is not entirely true. In fact, while the UK has voted to leave the European Union, many companies will still be constrained by the law. In short, if your business trades with European member states and possesses information on EU citizens, you will be affected.

Still confused or unsure about whether your organisation needs to comply with the new data protection and cyber security laws coming into effect in 2018? Read on to find out everything you need to know.

The consequences of delaying Article 50 of the Lisbon Treaty

The reason why most companies are so uncertain about how Brexit will affect compliance with the GDPR comes down to timing.

The government’s choice to delay the activation of Article 50 of the Lisbon Treaty until 2017 is significant as it means the UK will almost certainly experience life under the GDPR. The only eventuality where this does not happen is if withdrawal arrangements are negotiated and unanimously agreed upon before the regulation comes into effect on Friday 25th May 2018. However, this is unlikely to happen.

Here lies one of the most common misconceptions associated with the GDPR and Brexit. Many organisations believe that the UK’s exit from the European Union means that they will not have to prepare for change as the regulation will only affect the remaining 27 EU member states. This is simply not the case.

The GDPR and the Long Arm of the Law

If your organisation is not familiar with the intricacies of the GDPR (just like 44% of IT professionals indicated in a recent poll by Computer Weekly), the companies most likely to be affected are those that offer goods or services to EU citizens, as well as collect, control, handle or process data on individuals residing in a European member state.

So regardless of whether the UK is in the European Union or not, if you are a company that performs any of the aforementioned actions in relation to an EU resident, you will need to abide by the laws governed by the GDPR. Territories such as the United States, India, Australia and China will all be affected in the same way.

Problems associated with Brexit and GDPR

The most common problem faced by the majority of UK-based organisations is that they already possess personal data from individuals living in the remaining 27 EU member states (including UK citizens living in the EU).

If those responsible for data collection at your business do not fully understand the new guidelines and utilise this data in an unlawful manner, the consequences may be devastating.

If this is a situation that your business finds itself in, compliance with the GDPR is imperative otherwise you may experience the following:

• An unexpected expenditure from your cyber security budget due to the legal implications of obtaining data unlawfully
• A fine from the GDPR governing body, which could range from €250,000 to €1,000,000, or 2% of your global turnover, due to breaching outlined provisions
• Difficulty utilising and processing existing data to use in Big Data initiatives after 2018
• Indecisiveness at board level resulting in an incredibly short time scale to implement necessary processes and safeguards

Should your business still prepare for the GDPR?

If your business trades with or processes the personal data of EU residents, you will still be bound by the new regulation’s provisions. There are only a few requirements that may no longer apply – for example, the necessity of a Data Protection Officer.

If your business does not directly trade or collect data from individuals in the EU, you should still review your data protection processes.

The GDPR has been put in place to highlight data protection best practice. Therefore, the best advice for companies is to embrace this new framework, as it is likely the UK will soon have its own data protection regulation that utilises similar principles.

Leaving the European Union will not make a significant difference to the majority of UK businesses with regards to the GDPR. If your company already has a framework in place that it is using to ensure compliance with the GDPR, it is recommended that this planning and preparation continues.

If you’re unsure about where to start, organisations should look to implement the following:

• A review of all technical and procedural controls around your data, including the data that it currently possesses
• Re-writing all documentation associated with your organisation’s privacy policies so that they are in clear and concise terms (or plain English)
• Creation of new processes and procedures that will help to handle data subject and data deletion requests

The GDPR is not something that should be considered an inconvenience. It has been created so that companies are better able to cater to the needs of their customers, whilst formulating universal best practice protocols to aid information management policies, procedures, and technologies. This will minimise possible data loss incidents, as well as data breaches.

Is your business ready for the General Data Protection Regulation?