GDPR Post-Brexit – The Data Regulation Frontier in the United Kingdom After Brexit
Yes, Brexit is happening! The United Kingdom is scheduled to exit the European Union by the end of this month i.e. on 31 January 2020. And there are already loud callouts on social media for hundreds of thousands of people to gather in Westminster at 23:00 on 31/Jan/2020 to celebrate Brexit and usher in perhaps what you could call the “new and rediscovered” United Kingdom.
The General Data Protection Regulation (GDPR) came into force in May 2018 across all the European Union (EU) member states and the European Economic Area (EEA). The regulation requires businesses and organisations to protect the personal data and privacy of EU citizens. The regulation aims to give individuals greater control over their privacy, how their personal data is collected, stored, shared, and generally used.
Whenever there are data breaches or information breaches, the regulation requires that “culprit” businesses and organisations must report the events to authorities and inform individuals affected or impacted by such breaches, all within the stipulated time frame; usually within 72 hours of them finding out about the breach. The regulation imposes hefty penalties on non-compliance.
Perhaps it’s fitting to emphasise that the word “organisations” is used here loosely to include for-profit organisations, not-for-profit organisations, and government institutions and offices. Literally speaking, every type of organisation that handles or comes into contact with personal information of people in the EU is factored into the word.
GDPR Basics: Make sure you know what information you hold, where you hold it, why you hold it, and how people consented to give it to you.
The Information Commissioner’s Office (ICO) is the independent data protection and information rights watchdog in the UK. The GDPR regulation was adopted into UK law through the Data Protection Act 2018 (DPA 2018).
According to stats and reports published by the European Commission on the occasion of the first-year anniversary of the GDPR regulation, over two-thirds (67%) of Europeans have heard about GDPR and nearly 90,000 Personal Data Breach (PDB) reports were received across Europe within the first year of GDPR.
In October 2019, Österreichische Post AG (ÖPAG); the national postal service providers in Austria; was fined €18 million (approximately US$20 million) for illegally selling personal data of approximately 3 million Austrians to various third parties.
In January 2019, Google was fined €50 million (approximately US$56 million) by CNIL; the data protection and information rights watchdog in France; for breaching GDPR requirements for transparency and specific, unambiguous consent.
The online advertising industry is behind comprehensive illegal collection and indiscriminate use of personal data
In the UK, more specifically, similar stats and reports from the ICO show that PDB reports went up by over 324% to 14,000 by May 2019 from the previous reporting year when the reports were put together under the previous DPA 1998 legislation.
Some high-profile data breach and non-compliance cases reported in the UK include the maximum fine of £500,000 (approximately US$660,000) issued to Facebook for data breaches that allegedly occurred in 2017. The ICO later admitted that the fine could have been a lot higher under the GDPR legislation.
Under the GDPR regulation, a business or organisation that is found to have infringed on the provisions of the GDPR regulation, could be fined up €20 million (approximately US$22 million), or in some situations, up to 4% of its total worldwide annual turnover in the preceding financial year, whichever is higher.
Just thinking of the huge figure, you can understand the thoughts of the ICO re Facebook, and you might just say that Facebook was lucky, eh?
In July 2019, the ICO issued a notice of its intention to fine Marriott International £99 million (approximately US$131 million) for GDPR breaches relating cyber incidents suffered by the hoteliers which compromised the personal data of approximately 339 million guests globally.
In April 2019, a local government council in the Greater London area was fined £145,000 (approximately US$191,400) for unlawfully disclosing the personal information of more than 200 people.
In November 2018, Uber was fined £385,000 (approximately US$508,200) because the company failed to protect customers’ personal data during a cyberattack.
In May 2018, the UK Crown Prosecution Service (CPS); i.e. the UK equivalent to the U.S. Attorney’s Office (USAO); was fined £325,000 (approximately US$429,000) for the loss of several encrypted DVD discs containing records of police interviews.
A recent information breach (and a major security concern) occurred in the UK when the UK government inadvertently publicly published the full home and work addresses of over 1,000 New Year (2020) Honour recipients on the internet. As we understand it, the ICO is yet to rule on this matter or yet to publicly announced its ruling.
But, perhaps the biggest GDPR fine in the UK so far; in July 2019, the ICO issued a notice of its intention to fine the British Airways £183.39 million (approximately US$242 million) for GDPR breaches relating to cyberattacks suffered by the airline which compromised the personal data of approximately 500,000 customers.
You’d recall that in my article at the start of the year, I reviewed some major breaches that were reported in 2019
I’ve always posited that cybersecurity risks, threats, and attacks pose a significantly high risk to businesses and organisations. This is simply because breaches of information or data could potentially result in financial damages, operational damages, reputational damages, diminished investors’ confidence and exposure to potential regulatory, statutory, and other compliance issues, plus penalties.
The GDPR regulation permits free data flow between EU member states and EEA. But it places stringent rules, safeguards, and controls on the transfer of data from the EU to recipients in a third country, a territory, or an international organisation.
Implicitly, therefore, after 31/Jan/2020, the UK will be considered a “third country” by the EU, and all relevant rules applicable to third countries and international organisations under the GDPR will become applicable to the UK. Conversely of course, after the Brexit date, the EU GDPR will no longer apply to the UK.
So, it’s quite understandable that one of many questions which has repeatedly popped up in conversations with businesses and organisations up and down the country is; what does a post-Brexit UK mean to businesses and organisations in terms of GDPR requirements?
My reassuring response is always; there is no immediate or critical need to fret or be excessively be worried.
According to the ICO, “the UK government intends to write the GDPR into UK law, with the necessary changes to tailor its provisions for the UK (the ‘UK GDPR’).”
This implies that the UK government will immediately incorporate the EU GDPR into UK law with only necessary UK-specific changes to bring about the UK GDPR.
If you are a UK business or organisation that receives personal data from contacts in the EEA, you need to take extra steps to ensure that the data can continue to flow after Brexit.
If you are a UK business or organisation with an office, branch or other established presence in the EEA, or if you have customers in the EEA, you will need to comply with both UK and EU data protection regulations after Brexit. You may need to designate a representative in the EEA.
Yes, there would be some changes but these would be absolutely necessary changes, and both sets of regulations are expected to be substantially very similar.
My understanding, therefore, is that any immediate changes that’s required to be made to the UK GDPR will not require complete rework of your existing internal controls, processes, frameworks, policies, procedures, and reporting in your management information systems.
For UK-based SME businesses and organisations that want to keep data flowing between the UK and the EU, the ICO has released an interactive tool that could help you determine whether Standard Contractual Clauses (SCCs) could help you maintain the flow of data, in the event of a no-deal Brexit.
Remember, whatever effective controls and processes you currently have in place to address the EU GDPR regulation, these may require a few changes to ensure they remain relevant to the UK GDPR. But, rest assured, they would still be reasonably effective and applicable post-Brexit. And I expect the ICO would give businesses and organisations some reasonable time to implement whatever necessary changes emerge.
I envisage that the probabilities of cybersecurity risks, threats, and attacks will probably most likely increase/heighten in the few weeks, months, and possibly couple of years right after Brexit. My informed understanding, however, is that whatever effective controls, monitoring, and response strategies & policies you already have in place would suffice, for now. Of course, the key operative word here is “effective“!