Top Tips: GDPR in a post-Brexit world

Here we share our five top tips for safely navigating the post-Brexit waters with specific reference to the GDPR.

Confused? Don’t worry!

The momentous outcome of the 23 June 2016 referendum vote on the UK’s membership of the EU has left UK businesses wondering about the on-going impact of GDPR. This means now is the time to work closely with suppliers and industry experts to discover how this effects your organisation. With so many businesses operating internationally, and accessing services that cross borders, the importance of the consistency of data protection laws and rights has never been more crucial, and more confusing.

Prepare for GDPR because you can’t avoid it

With 2019 now being mentioned as the very earliest we’ll be out of Europe, it does mean that UK companies will have to adhere to the GDPR when it comes in to final force on 25th May 2018. That is less than two years away, and unless there is specific intervention from the Government in this area, which seems unlikely, then those companies of over 250 employees processing more than 5000 records of personally identifiable information annually need to get to work to ensure they are GDPR-ready.

Don't mistake outside of the EU for outside of its laws

Perhaps the single biggest misconception about GDPR is that once the UK finally leaves the EU, we will no longer be subject to its privacy requirements. That would be nice and convenient but unfortunately it rather overlooks the fundamental point that GDPR is nothing to do with whether a company itself is in the EU; it’s all about whether the data that a particular company handles is about EU individuals, be they customers, prospects or employees. So even if you have no operations or subsidiaries in the EU, and are based wholly within the UK, it makes no odds – if you handle EU citizens’ personal information, you need to comply with GDPR.

Appreciate the extent of the GDPR’s influence

At some point in the future, the UK will be outside of the EU, and the GDPR will no longer directly apply (except for those handling EU citizen data as above), and we will revert to our own national laws for data privacy, just as we have now with the Data Protection Act. However, the smart money is very much on a GDPR-mirroring overhaul of the UK’s data protection framework, as part of the smoothing of the trading way and a demonstration of the ‘adequacy’ of our privacy provisions that the EU is likely to demand as part of any new trade agreement.

Forget the bureaucracy, embrace the opportunity

It would be easy to denounce the GDPR as another grossly inflated round of EU bureaucracy, to kick against it resentfully and bemoan the huge costs and complexities of compliance. There is no doubt that the standards enshrined in GDPR have raised the data privacy bar to heights that have caught many by surprise. But once they have got over the shock, perhaps they will come to share the view expressed by Brett Hansen, Dell’s executive director of data security. He posits that GDPR should perhaps just transcend issues of legality or politics because actually it is at heart a good idea. “At some point companies are going to want to protect their data because it’s good practice. The GDPR is a forcing function but it’s a good idea because you will be better able to protect your company in terms of lawsuits and loss of customer data. They are enforcing what should be good practices…pushing everyone to get to that base level of protection.” Given that 80% of the UK economy is service-based and pretty much dependent on the safe and proper handling of data, then maybe the chance to really get our privacy house in order should be embraced.