The EU General Data Protection Regulation (GDPR) will continue to apply to UK companies that collect or process data pertaining to EU residents after Brexit.
The genuinely held (but legally incorrect) assumption that GDPR will not apply once the UK leaves the European Union is an oft stated excuse for doing nothing emanating from the ownership of many, many companies.
To be clear, after Brexit, UK businesses offering services to EU residents (regardless of where they hold the data) will have to adopt more stringent rules than the ones currently imposed by the 1998 UK Data Protection Act (DPA). If the UK does not agree to either continue to adopt GDPR or implement a substantially similar law, personal data flows with Europe will not be permitted. To this end, the UK Government have already indicated they will enact a substantially similar law after Brexit.
More about GDPR
Undoubtedly you will have heard about GDPR and will know that the regulation, which comes into force on May 25th 2018, introduces a set of rules that are tougher than the DPA.
Obligations and Requirements
The GDPR places obligations on your organisation to fulfil a range of individual rights.
You will be obliged to erase all data pertaining to a data subject if an individual withdraws their consent for you to store or process their personal data by exercising their “right to be forgotten”. For clarity, all data means all data, including backups, archives and paper files.
You will be obliged to seek clear and positive consent to collect, store and process personal data. Any consent to process personal data must be specific and the data cannot be used for any other purpose.
The GDPR will affect every firm or public body that holds or uses the personal data of people resident in any of the member states regardless of where the entity is domiciled.
GDPR is going to affect UK businesses offering any type of service to the EU market, regardless of whether the business stores or processes data within the EU or not. Most importantly it will continue to affect UK businesses after Brexit.
Failure to Educate your Staff
Education within your business is critical. If your colleagues are collecting data without understanding that the key to triggering GDPR is where the data subjects live rather than where the data lives you will end up having to defend your company against claims that you are collecting and processing data that you shouldn’t. The situation gets worse if you then use this data as part of a Big-Data initiative.
The GDPR Guys are here to help you navigate this minefield. There is a wealth of information on our website and our blog (www.gdprguys.com/blog). If you are unsure about any aspect of GDPR contact us here.