The impact GDPR has already had shouldn’t be ignored. Between May 25th and July 3rd 2018, the ICO already received an immense 6,281 complaints concerning possible data breaches. This is a 160% increase on the same period in 2017, demonstrating how GDPR has raised awareness of how personal data is used and the protection regulations surrounding it – this is an issue that many people have taken to heart. But what about GDPR compliance after Brexit?
The United Kingdom may be leaving the EU on March 29th 2019, but that won’t mean the end of GDPR. Whether a deal is reached or not, the data legislation will still hold for British businesses. The European Union (Withdrawal) Act 2018 ensures that when Brexit comes into effect, GDPR will be incorporated into UK law – so fundamentally, GDPR compliance after Brexit will remain the same.
Anyone hoping to use Brexit to evade the ramifications of GDPR will be sorely disappointed. There will likely be some small changes to make GDPR fit the UK’s individual needs, leading to separate “UK” and “EU” versions of GDPR, but the framework will probably remain the same.
What does this mean for UK firms? Ultimately, GDPR compliance should still be a major focus. Once the UK leaves the EU, there will be little change to data protection regulation, meaning that the same measures need to be taken both pre- and post-Brexit. While the exact details remain to be seen, it is likely that data breaches will be treated in a similar manner, with near-identical penalties for data breaches.
There is an additional factor, however. With the UK no longer a member state, it’s uncertain whether data will continue to flow freely into and out of the EU. It’s important to keep an eye on how this issue develops; it will depend on the eventual deal between the UK and EU. It seems likely that a solution will be found, but companies should put safeguards in place for either eventuality.
Fundamentally, GDPR is here to stay. Brexit won’t change that, and with greater media attention on data protection, it’s at the forefront of everyone’s minds. The penalties for non-compliance are severe, and not to be risked.
For our help in ensuring GDPR compliance after Brexit and before, contact us today for our Gap Analysis and consulting. We also offer Data Protection Staff Training to improve the data protection knowledge and confidence of your employees.
There are many GDPR consequences that affect everyone – whether you’re an individual, a small business, or a large multi-national organisation. GDPR will hugely influence many areas of business – some areas that we may not have even thought about.
Of course, one consequence is the need to hire a Data Protection Officer (DPO). For large or complex organisations, this will be a mandatory position that needs to be filled in your organisation under the GDPR regulations. This has a small consequence on organisations, though. Naturally, the DPO will require a salary, but there are many more costs that will happen because of GDPR. With more expenses comes less profitability for a company – as this article (https://www.forbes.com/sites/richardstiennon/2017/11/27/unintended-consequences-of-the-european-unions-gdpr/#35390768243c) states, “Lower profitability means lower investment, fewer startups, and slower growth.”
This may only be temporary as companies and business adjust to the new regulations, but no doubt this will be a big consequence of GDPR, especially for smaller businesses. There are a lot of procedural implications that arise from the changes that business have to make around withdrawn consents, for example.
There will also be a potentially big effect on technology – and going back to the article, apps from iTunes and Google Play could be a big part of that. Richard Steinnon states in the article that because of the extra leg-work required for storing, controlling, and processing EU citizens’ data, small time (and even big-time) companies that produce apps may cease to collect EU citizens’ data at all. This will result in EU citizens being unable to download certain apps purely due to where they come from.
This is definitely an unforeseen GDPR consequence. This might not be limited to just apps either. New technologies, computer softwares and ore could be off limits because companies don’t want to deal with the added work, costs, and potentially hefty fines of GDPR. This is something that needs addressing by the EU, otherwise, organisations could fall well-behind other countries in terms of technology advancement and economically…
Read Richard Steinnon’s article in full here: https://www.forbes.com/sites/richardstiennon/2017/11/27/unintended-consequences-of-the-european-unions-gdpr/#35390768243c
Also of course, if you hire us to deliver a GDPR compliance programme or work as your DPO, we can hopefully help you nip these difficulties in the bud, so you won’t need to think about drastic steps like barring EU customers…
GDPR is going to be a big challenge to implement for organisations, but the consequences of breaches and failing to comply to GDPR can be huge. GDPR fines and penalties could potentially cripple an organisation if it fails to adhere to the new regulations.
If there are any breaches of data, such as a hack, the data controller must notify the Supervisory Authority after no more than 72 hours after the becoming aware of the breach, not the breach itself. There is no room for misinterpretation or excuses here – if the Supervisory Authority is not reached within the 72 hours, the notification of the breach must be accompanied by a suitable reason from the controller for the delay. A suitable reason would be something that is out of the controller’s power – a power outage, for example.
“If there are any breaches of data, such as a hack, the data controller must notify the Supervisory Authority after no more than 72 hours after the becoming aware of the breach, not the breach itself.”
Notifying the data subject (i.e. person whose data is being held) is slightly different, though. The data subject must be notified of any potential breach UNLESS the data is anonymised – if the data is not immediately recognisable as the initial data sent by the subject. Pseudonymised or encrypted data hides what the data actually is via a mask or coding, with only a small number of people able to uncover the true meaning. If one doesn’t have the means to do that, the data is essentially useless.
Data can be thought of as raw facts and figures that appear to make no sense. We must put categories and context with the data for them to become information and knowledge. Hence, if a piece of data is hidden behind a mask or code, those who don’t know how to unlock the data, cannot even know what data they obtain.
FINES AND PENALTIES
The consequences for failing to comply to GDPR can be huge, but while you may see big figures bandied about, those are not necessarily the fine you or your organisation will receive. Each case will be considered against a set of conditions to judge whether a fine will be needed, and how much.
These conditions are:
- How big and widespread the infringement was and how much and how many data subjects it affected. The type of data affected will also be considered.
- If there was any (intentional) neglect from the organisation concerning the infringement.
- Whether the data controller took action to prevent damage to the data subjects (EG: if there’s a breach, the 72 hours you have before notifying the Supervisory Authority can be used for you to minimise the damage to your customers, sort the breach, set up suitable preventions, then notify the Supervisory Authority – this will potentially help your case.)
- How your data was protected initially will also be considered, though. If an organisation does not have suitable security measures in place, and don’t show demonstrable controls, this will negatively affect the organisation’s case.
- The responsibility of the processor or controller and if they have had any previous infringements.
- The cooperation with the Supervisory Authority to fix the infringement.
- How the Supervisory Authority became aware of the infringement.
- The extent of adherence to specified codes and conduct by the Supervisory Authority.
- And any other factors relevant to the specific infringement in case, including but not limited to financial gains and losses.
“A worst-case scenario can see a fine of up to 20,000,000 Euros, or up to a 4% of the total worldwide annual turnover of the preceding financial year, whichever is greater.”
A worst-case scenario can see a fine of up to 20,000,000 Euros, or up to a 4% of the total worldwide annual turnover of the preceding financial year, whichever is greater. This is again dependent on a certain set of circumstances (including lack of compliance with the Supervisory Authority) and these figures can be lower (up to 10,000,000 Euros and 2%) because of that. The important phrasing here though is “up to”. It will be unlikely that any organisation will be fined 10,000,000 Euros unless they severely infringe on the regulations and the data affected is of high risk.
Remediation costs will also significantly affect organisations post-breach. Depending on an organisation’s size, how many employees they have and how many data records are affected by a potential breach impacts any remediation costs for the company. Using the supermarket chain Morrisons as a recent example, they lost 100,00 employee records – with current estimations of remediation costs, the minimum cost Morrisons could potentially be looking at is £75 million. This is a huge cost alone to remedy any breach, and this figure will be huge for any organisation.
These consequences still seriously highlight the need to comply with GDPR thoroughly and securely, and it’s vital to get your business or organisation fully compliant before the regulations come into place in May 2018. Ask us now for a Gap Analysis or GDPR project delivery.
The source for much of this information comes from “Guidelines on Data Protection Officers” a comprehensive guide on all things GDPR and a vital read for any Data Protection Officers.
You can also read our take on Equifax’s breach and lack of compliance with GDPR right here: https://activaconsulting.co.uk/activa-consulting-news/equifax-affected-under-gdpr-laws/