The implementation of the European Union General Data Protection Regulation (EU-GDPR) in 2016 has redefined the legal landscape for the use of personal information by companies. But while the GDPR is still the go-to legislation for all EU member states, there have been changes in the data protection laws for the UK businesses because of Brexit. Read our overview of the current situation and the new legal requirements for British companies.
The UK’s Data Protection Act (DPA 2018) effectively enshrined GDPR in the UK, regardless of the country’s status within the EU. Prior to Brexit, the use of personal data and the flow of information in the UK needed to comply with the EU-GDPR as applied by the UK’s Data Protection Act (DPA 2018).
Following Brexit, the UK is no longer regulated by the EU-GDPR, as on 1st January 2021 the DPA 2018 was amended and now adopts a standalone UK law that is referred to as UK-GDPR and practically identical to the original EU-GDPR.
The UK version was changed to accommodate domestic areas of law that are, by definition, outside the scope of the European GDPR: national security, intelligence services and immigration.
It is important to mention that the current EU GDPR may also still apply directly to you if you operate in the European Economic Area (EEA), offer goods or services to individuals in the EEA, or monitor the behaviour of individuals in the EEA. Therefore, some UK businesses will need to comply with both UK GDPR/DPA 2018 and EU GDPR.
What are the fines for GDPR infringements?
|
The UK GDPR and DPA 2018 set a maximum fine of £17.5 million or 4% of annual global turnover – whichever is greater.
The EU GDPR sets a maximum fine of €20 million (about £18 million) or 4% of annual global turnover – whichever is greater.
In case of a data breach, you are required to report the incident within 72 hours to the Information Commissioner’s Office (ICO) and possibly to other institutions, depending on whether the breach affects people in other locations such as the European Economic Area (EEA).
The ICO has produced helpful guidance about the practical implications of cross-border personal data breaches, as well as a dedicated breach reporting page.
It is important to keep your customers’ data safe, as the potential infringement fines can be enormous. Last year, for instance, British Airways was fined over €204 million (around £175 million) by the ICO when the personal and financial information of around half a million of its customers was stolen.
|
Since 1st January 2021, the United Kingdom has been in a ‘bridge period’ which will last until June 2021 and ensures an uninterrupted data flow with the EU. During this time, the European Commission will assess whether the UK ensures a level of data protection that is essentially the same as the one it grants to all its citizens by the GDPR. The decision will then be re-examined in four years.
In February 2021, the European Commission issued a widely-expected draft adequacy decision, confirming that the current UK legislation regarding personal data protection is considered ‘sufficient’. For the draft to be adopted as an official adequacy decision, however, it still needs to be reviewed by the European Data Protection Board and approved by representatives of each EU member state.
Should the UK not be granted an adequacy decision, however unlikely that currently seems, the Information Commissioner’s Office (ICO) recommends using a legal instrument called Standard Contractual Clauses (SCC) that regulate data transfers between EU and non-EU countries. The ICO offers an interactive online tool that helps SMBs to decide what kind of SCC they should use.
Three types of UK SMBs
Based on who you do business with and where your company operates from, you fall into one of three categories with different legal requirements.
In any case, we recommend you review your privacy information and documentation to identify any changes now that the Brexit transition period has ended and keep up to date with the latest information and guidance. The following steps apply if the EU grants adequacy to the UK data security legislation.
|
UK businesses with no contacts or customers in Europe
If you already comply with the GDPR, receive no data from EEA contacts and have no EEA customers, you do not need to do much to comply now that the Brexit transition period has ended.
|
UK businesses that send or receive data to or from Europe
As a UK business that receives data from contacts in the EEA, you may need to appoint a European representative: someone with an overview of personal data in your organisation and access to relevant procedures. This can not be the same person as the Data Protection Officer required for the UK.
Your business in the UK will be covered by the UK data protection regime.
|
UK businesses with a European presence or European customers
You need to comply with both UK and EU data protection regulations.
If you have offices, branches or other establishments in the EEA, your European activities are covered by EU law.
If you are only based in the UK but you offer goods or services to individuals in the EEA or monitor the behaviour of individuals in the EEA, you need to comply with the EU data protection regime.
You may need to appoint a European representative: someone with an overview of personal data in your organisation and access to relevant procedures. This cannot be the same person as the Data Protection Officer required for the UK.
Source: Information Commissioner’s Office
|