Worryingly, one in four businesses in the UK wrongly believe that they no longer need to comply with the EU’s General Data Protection Regulation (GDPR) and have scrapped their plans to prepare for the change in legislation. In this blog post, we spoke to Julian Parry of Beers LLP, to seek clarification on the law.
In the UK, GDPR will come into force by 25th May 2018 and will supersede the Data Protection Act 1998. An all-new law, GDPR gives individuals a greater say on what businesses can do with their data and allows for harsher punishments in the event of data breaches.
However, 24% of UK businesses have stopped preparations for GDPR as they believe Brexit, and Britain’s decision to leave the EU, means they will no longer have to comply. This is incorrect.
GDPR will apply to businesses within the UK prior to Britain leaving the European Union on 29th March 2019, it is likely to apply thereafter and what’s more, it will apply to any business handling the data of EU citizens at any time. Therefore, British companies are not absolved from compliance due to Brexit and cancelling plans to prepare for GDPR is not recommended.
With this in mind, we spoke to Julian Parry, Partner and Head of Commercial and Employment Law at Beers LLP, a firm of Solicitors in Plymouth, to seek further clarification:
“Whether or not your business sells or markets in the EU, or has EU staff, customers, suppliers or data centres, it needs to become GDPR compliant, as this will be the data law applying in the UK very soon!
Not only will GDPR govern data processing for British businesses from May 2018, it is highly unlikely that the Government will relax the law after Brexit. Fines and penalties for non-compliance and data breaches increase significantly under GDPR: for very serious breaches, up to the greater of 20 million Euros or 4% of global annual turnover. In addition, individuals will be able to sue businesses for compensation for breaches of their personal data rights.
The EU normally only allows the transfer of personal data to a non-EU country if it deems that the country offers adequate legal protection – in practice, data protection laws equivalent to or better than GDPR. GDPR will also apply to any business that deals with EU citizens’ data, wherever in the world it has its HQ.
The UK Government will realistically need to keep GDPR or agree an equivalent data privacy arrangement with the EU after Brexit, to ensure that the UK remains “whitelisted” by the EU and that UK businesses can continue to offer products or services in the EU both practically and lawfully.”
For legal advice, from preparing for the new law to handling subject access requests, contact Julian Parry at Beers LLP on 01752 246011 or at email@example.com.