“What happens to GDPR after Brexit?” is a question we are often hear. The short answer is that the EU General Data Protection Regulation (GDPR) will continue to apply to UK companies that collect or process data pertaining to EU residents after Brexit.
The assumption that GDPR will not apply after the UK leaves the European Union is an often stated excuse for doing nothing, emanating from the ownership of many, many companies.
To be clear, what happens to GDPR after Brexit, is UK businesses offering services to EU residents (regardless of where they hold the data) will have to adopt more stringent rules than the ones currently imposed by the 1998 UK Data Protection Act (DPA). If the UK does not agree to either continue to adopt GDPR or implement a substantially similar law, personal data flows with Europe will not be permitted. To this end, the UK Government have already indicated they will enact a substantially similar law after Brexit.
More about GDPR
Undoubtedly you will have heard about GDPR and will know that the regulation, which comes into force on May 25th 2018, introduces a set of rules that are tougher than the DPA.
Obligations and Requirements
The GDPR places obligations on your organisation to fulfil a range of individual rights.
If an individual withdraws their consent for you to store or process their personal data, you are legally obliged to erase all data pertaining to the data subject. For clarity, all data means all data, including backups, archives and paper based records. Data subjects have a “right to be forgotten” under GDPR law.
You will be obliged to seek clear and positive consent to collect, store and process personal data. Any consent to process personal data must be specific and the data cannot be used for any other purpose.
The GDPR will affect every firm or public body that holds or uses the personal data of people resident in any of the member states regardless of where the entity is domiciled.
GDPR is going to affect UK businesses offering any type of service to the EU market, regardless of whether the business stores or processes data within the EU or not. Most importantly it will continue to affect UK businesses after Brexit.
Failure to Educate your Staff
Education within your business is critical. If your colleagues are collecting data without understanding that the key to triggering GDPR is where the data subjects live rather than where the data lives you will end up having to defend your company against claims that you are collecting and processing data that you shouldn’t. The situation gets worse if you then use this data as part of a Big-Data initiative.
The bottom line is this. GDPR will not be abandoned after Britain leaves the EU. Yet many firms have delayed their plans fopr GDPR compliance in the hope that it will. So, if you are still wondering what happens to GDPR after Brexit, don’t be misled. Strict regulations will continue to govern the way UK businesses process the personal data of EU residents.
The GDPR Guys are here to help you navigate this minefield. There is a wealth of information on our website and our blog (www.gdprguys.com/blog). If you are unsure about any aspect of GDPR contact us.