UK firms face tough EU-wide data protection rules, despite Brexit

 British firms are facing tough EU-led rules on data protection, and that’s despite the Brexit vote, warns Tayside based solicitors and estate agents Miller Hendry.

A major milestone in EU data protection law was marked when the General Data Protection Regulation (GDPR) was adopted just before the EU Referendum. The legislation, which was set to replace the UK’s 1998 Data Protection Act, marks a tough new era in EU-wide data protection. It includes new powers for data regulators and much stricter operating boundaries for businesses processing personally identifiable information about individuals.

But if UK companies thought the EU Referendum result meant they wouldn’t have to comply with the new regulation they are wrong, says Miller Hendry. Companies ignore the new requirements at their peril as they are likely to find that they have to comply with the regulation, or a UK version in a very similar form.

The aim of the new regulation is to harmonise data protection across all EU member states. Being an EU Regulation, rather than a Directive, it becomes law without the need for any national legislation in the 28 individual EU countries. That makes it simpler for everyone, including non-European companies, to comply with data protection, say legal experts. However, it comes at a cost, with greater responsibilities for data processors and with severe penalties of up to 4% of worldwide turnover for non-compliance.

The biggest change is that the Directive applies to any business processing personally identifiable information about EU citizens, not just to businesses based within the EU.  This means that any UK business that is trading with EU citizens will be affected, as will anyone who transfers personal data from the EU to the UK for processing or storage.

And it’s expected that any new legislation brought in by the UK Government will be equally tough.  According to the Information Commissioner’s Office - the UK’s regulator – the GDPR is still relevant for the UK as “the underlying reality on which the policy is based has not changed”.

The situation may be further complicated during the transition process because, until the UK has data protection laws which the European Commission recognise with a formal adequacy decision, companies that move personal data from the EU to the UK would need to implement some other mechanism, such as standard contract clauses approved by the Commission.

Alan Matthew, employment law expert with Miller Hendry, said:

“UK businesses will have to keep their foot on the pedal when it comes to data protection. UK companies, whatever their size, who trade in the EU or want to be able to transfer personal data in from the EU, should be looking to adopt GDPR as a minimum standard.

“For any trading relationship between the UK and the EU, our data protection law will need to be broadly equivalent.  If we were to stick with the current 1998 Act, we could expect other countries to view our regime as providing insufficient protection.”

The main provisions of the GDPR include:

Consent – Currently, much data is collected on the basis that individuals will choose if they wish to opt out.  In future, an individual will have to make a positive action that demonstrates their consent, in order for their data to be collected.

Transparency – More information will have to be provided by the processor from the outset about how data will be used and how long it will be kept for, as organisations must not hold on to data for any longer than absolutely necessary.

Accountability – There is a shift from risk management to compliance so, in future, organisations will have to be able to show that they are actively complying with the GDPR, not just identifying risks or responding to breaches as they occur.

Specialists – A specialist Data Protection Officer will be an obligatory appointment for most public bodies and for any organisation controlling or processing data where core activities involve “regular and systematic monitoring” of data subjects “on a large scale”.

Breaches – Currently some breaches may be managed internally without reporting, but in future there will be a statutory obligation to notify the regulator – the ICO in the UK - and the individuals affected, if there is any risk to an individual’s personally identifiable information as a result of any breach.  Fines will be imposed for breaches: up to a maximum of €20m, or 4% of total worldwide turnover for businesses, for serious contraventions. 

Children – No one under 13 can give their consent to the processing of personal data in relation to online services, and so parental consent must be obtained.  Member States are free to set their own rules for those aged 13-15. If they do not, then parental consent will be required for children under 16.

For further advice or information on employment law or other legal issues, visit www.millerhendry.co.uk