The aftereffects of Brexit on the GDPR
The UK’s decision to leave the European Union leaves the issue of data protection in some uncertainty given that the General Data Protection Regulation (GDPR) is expected to come into force in May 2018.
In efforts to dispel this uncertainty, it has been clarified that the GDPR will be effective from the 25th May 2018, until the confirmed Brexit date. The GDPR will supersede the current Data Protection Act from 1998 with the aim of providing more contemporary laws for the digital world and improve and strengthen data protection for EU citizens as well as increase business opportunities.
To recap some key requirements of the GDPR are:
- A higher threshold for consent. Consent must now be freely given, specific, informed and unambiguous shown by a statement or a clear affirmative action
- The mandatory appointment for a Data Protection Officer. This requires the appointment of someone with “expert knowledge” of data protection law to oversee and ensure compliance
- Tougher sanctions and fines. For non-compliance; up to 20 million Euros or 4% of annual worldwide turnover.
- Obligatory Privacy Impact Assessments. These will show an organisation has considered the risks associated with personal data practices.
- Data breach notification requirements. Breaches must be notified to the Supervisory Authority within 72 hours.
It is also likely that whenever Brexit does occur, laws very similar and stringent to the GDPR will be enforced; to sustain business in the European Economic Area and maintain the growth of the UK’s digital economy, a certain level of suitability is required which is probably comparable to the GDPR. Information Commissioner Denham confirmed that “For British businesses to share information and provide services for EU consumers, the law has to be equivalent.”
The ICO has announced that within the upcoming month it plans to publish a revised timeline which will detail the main areas of guidance that will be prioritised over the next six months. This timeline should therefore prove to be supportive in clarifying some of the ambiguous provisions detailed in the GDPR and how the ICO plans to interpret them.
So, if you have not started preparing it is highly advisable that you:
- Distinguish whether you are a data controller or data processor and review all obligations.
- Ensure that all personal data has been secured and check the control standards
- Draft an effective governance plan.
- Appoint and train those in your organisation.
The above is provided for information purposes only and does not constitute legal advice. Please contact Nath Solicitors for further information.
as a result