Unlawful sharing or storing of personal information is now under strict regulation, thanks to the implementation of the General Data Protection Regulation (GDPR), which came into effect on 25th May 2018 and affected businesses of all types, including the NHS and charities.
With fines of up to €20 million – or 4 percent of a business’s annual revenue – the GDPR could now bankrupt a business.
Should businesses keep the GDPR when Britain leaves Europe?
Short answer: Yes. Many businesses made costly improvements to their data security in time for the GDPR last year, and removing these precautions just because the law no longer applies would be a foolish move.
As much as the GDPR is about data privacy, it’s about ensuring businesses build a culture around the protection of data. With or without a Brexit deal, then, this culture should be preserved, as far as possible. This especially applies if businesses are handling international data from EU-regulated businesses.
Better yet, the GDPR cost, a lot. The average large business spent between £300 and £450 per employee to become GDPR-compliant, and it has been a great challenge to reconfigure how personally-identifiable data is handled, stored and, if necessary, destroyed. For the NHS or charities – those without the financial backing of a big business – the GDPR was a cost that cannot (and should not) be undone.
How will Brexit affect the GDPR?
At the time of writing, the U.K. is set to leave the European Union on 29th March 2019.
But, although this timeline will likely be fulfilled, it could be pushed back as negotiations take place.
Whatever happens after Brexit, businesses will still have to comply with GDPR if they are serving content to European citizens. This means that if people in Ireland, France, Spain or Germany come to your website or interact with your business, you will still have to comply with the GDPR.
For national businesses who solely operate inside the U.K, data protection regulation is still strict. Just days before GDPR came into effect, Parliament passed The Data Protection Act 2018 (DPA 2018), which outlines regulation on data protection similar to the GDPR.
Chances are, then, the DPA 2018 will replace the GDPR. As an employer, you’ll have almost the same data responsibilities, and you’ll need to demonstrate that you can comply with the DPA 2018, like you must currently demonstrate you can comply with the GDPR.
For more information on this, the Information Commissioner’s Office (ICO) has outlined the key points in the event of a no-deal Brexit.
As of right now, what will happen to the U.K. after Brexit is still up for debate. GDPR online training is a good step forward, and in truth, it’ll give your staff the chance to ditch the politics and lay out the simple truths about sharing and deleting personal data that employers must follow.
For smaller firms, understanding the GDPR is imperative. Processing personal data is harder without an in-house team dedicated to doing so. Elizabeth Denham, head of the ICO, explains:
‘There are 5.4 million businesses in the UK that employ fewer than 250 people. When it comes to data protection, surveys show they tend to be less prepared. They also have less time and money to invest in getting it right.’
The bottom line is: regardless of your business size, if the GDPR disappears, you should not undo your hard work. Instead, you should continue to educate yourself about data privacy, the DPA 2018 and the GDPR, and continue working on building a safe and secure data handling process for your business.