Brexit and the GDPR: what’s the hassle?

Brexit and the GDPR: what’s the hassle?


If you work in cybersecurity or in the legal sector, you’ve probably heard of the infamous “GDPR” or General Data Protection Regulation. The GDPR is the European Commission’s latest and most far-reaching attempt at harmonising data protection rules in the EU. The aim is to protect the privacy of EU citizens by imposing stricter rules on any entity that collects and/or processes personal user data. The GDPR will enter into effect in all Member States from 25 May 2018. Smack in the middle of… Brexit.

Which impact will Brexit have on the implementation of this new EU law? The relevant authority in the UK, the Information Commissioner’s Office (ICO) has made the following statement: “The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.” And further: “We acknowledge that there may still be questions about how the GDPR would apply in the UK on leaving the EU, but this should not distract from the important task of compliance with the GDPR.”

Simply put, the ICO acknowledges the need for uniform rules regarding data protection, especially when so many businesses operate cross-border. And since the current UK Data Protection Act (DPA) dates back to 1998 – when internet was taking its first baby steps and mobile phones were as futuristic as flying cars – falling back on the DPA isn’t going to guarantee protection of British nationals’ privacy. If anything, the GDPR provides an adequate, common legal framework, on which the UK can build if necessary.

We would therefore definitely recommend to all businesses to check their compliance with the new data protection rules. Don’t think of the GDPR as an EU law, but as a new definition of data protection standards that will be applied throughout the European continent, whether the UK decides to opt-in or not.

What does that mean in practice?

The GDPR applies to all processors and controllers of personal data. Personal data means any bit of information that could lead to the identification of an individual. Examples of such data are names, surnames, (e-mail) addresses etc., but also IP addresses, identification numbers or location data.

If your company decides on how and why personal data is processed, it most likely will be considered a controller. If it processes data on behalf of another company acting as controller, it’s a processor. Here’s an example: if you own an e-commerce business selling shoes on the Amazon platform, you’re a data controller. You collect contact details of your customers in order to ship their purchases to the correct address. Amazon will process the data accordingly, but makes no decision on which information is collected and why: therefore, it’s the data processor. Of course, Amazon also has its own sales platform: in that case, Amazon is both data controller and processor.

Data controllers and processors have new responsibilities under the GDPR. First and foremost: transparency. Controllers need to give data subjects all relevant information on which data is collected and for which purposes. Data subjects must also have the right to demand their data is modified, erased or transferred at their request (remember the hype around Google and the “right to be forgotten”? Same same but different).

Another catchphrase of the GDPR: protection by design. Basically, it just means that privacy of data must be a priority when designing and setting up a new company. Don’t go organising your mailing list in a certain way and once you’re up and running realise that it violates your customers’ privacy. It’s just not a good way to do business anyway. Get advice on a good privacy policy right from the start.

That’s the prevention side of things. If you encounter a data breach, you also need a reaction policy. The GDPR requires that a risky data breach is notified to the national Data Protection Authority within 72 hours of discovery of the breach. If there’s a high risk of personal rights being violated, the data subjects concerned need to be informed asap as well.

Many companies work with partner companies who they exchange certain data with. You might want to keep the following in mind: the GDPR requires that you and your partners make clear arrangements on duration, purposes and security measures concerning the processing of the data. If the partner company is not in the EU, you’ll need to verify if it can guarantee an adequate level of protection. A list of countries with adequate data protection laws can be found on the website of the European Commission. It’ll probably apply to post-Brexit data protection regulation in the UK too.

Finally, be advised that non-compliance with these obligations can lead to administrative sanctions. Fines can get pretty nasty, up to 4% of your annual turnover. That’s why getting a clear picture of your company’s GDPR compliance is pretty important. If you have any further questions, don’t hesitate to contact us!

Written by Morgane Van Ermengem, legal officer at theJurists London.