Data Protection – what you need to know in a post Brexit world

Data protection is an issue that every company needs to take seriously. If you collect any data on an individual, you’ll need to comply with the relevant regulations governing data protection in the area they are resident. Following the UK’s departure from the European Union, many UK companies are required to comply with both domestic and international regulations on data protection. And fines for non-compliance can be severe. In the UK, British Airways was fined £20 million in 2020, after their website was hacked and personal data exposed.

Make sure you’re in compliance with data protection regulations. To speak to one of our specialist lawyers, contact us today.

Data Protection and GDPR in the UK

The General Data Protection Regulation (“GDPR”) is still very much alive in the UK, even after the end of the Brexit transition period (31.12.20). If you heard of UK GDPR and wondered what it means, the short answer would basically be the same “old” GDPR renamed as the Data Protection Act 2018 with added parts and chapters that are specific to the UK. So, UK organisations that collect or process personal information of UK residents need to comply with the UK GDPR, and if they collect or process in addition personal information of EU nationals, they will need to comply with the EU GDPR as well.

Transfer of personal information with the US

Fun fact: Back in July 2020 the Court of Justice of the European Union (“CJEU”) declared that the framework governing the transfer of personal information between the EU and the US (also known as “Privacy Shield”), is no longer valid. That means that, until a solution can be found, the law now regards the transfer of personal information between the EU (and UK) to the US, the same way as transferring the information to China…

Data Protection - things to consider:

  1. Transfer of personal data.
    Two adequacy decisions made by the European Commission in June 2021 allow for almost unconditional flow of personal data between the UK and the EU (as the UK is now being considered ‘a third party’ in the eyes of the EU GDPR).However, transferring personal data from the UK to other non-EU countries is subject to heavy restrictions, and organisations that fail to meet the necessary legal requirements can face heavy fines. Yes, these include third party service providers (such as cloud services) located almost anywhere in the world (the US and India, to name a few).

    Basically, a Data Processing Agreement (DPA) or a Data Sharing Agreement (DSA) must always be in place to safeguard you from the risks of transferring personal information of your customers, employees or partners.

  2. It’s not just GDPR…
    The UK GDPR (and the EU GDPR where applicable) is not the only legal framework to be in effect in the UK with regards to the handling of personal information. The Electronic Commerce (EC Directive) Regulations 2002 (also known as the ‘e-Commerce Regulations’) govern the way personal information is collected via websites and other electronic devices.That means that any organisation that conducts business via its website, and that collects information from its users (whether by means of completing an online form or by using cookies and other tracking devices) must adhere to those regulations as well.

    It is therefore crucial for UK organisations to have in place proper Terms of Use, a Privacy Policy and a Cookies Policy to ensure that they receive their customer’s consent for such collecting or processing of information, as well as to allow those organisations the maximal protection under the law.

  3. There can be huge fines for non-compliance.
    The UK GDPR allows for the Information Commissioner’s Office (“ICO”) to fine organisations for non-compliance with the law of up to £17.5 million or 4% of their annual global turnover. That’s a lot! The biggest fine so far was a $877 million fine (!) suffered by Amazon in July 2021 for the unlawful use of cookies. While the main concentration of enforcement has (and likely will continue to be) on larger organisations, if your business is aiming to exit to a larger competitor this becomes very important during due diligence.

    In the UK, one of the biggest fines to date was a £18.4 million fine, suffered by Marriott International Hotels after a hack into their systems exposed the personal information of about 300 million of their customers worldwide.

How to reduce your data protection risk

It is crucial to have in place strict policies and procedures so that every principal, manager and employee in the organisation knows exactly what to do and what not do to when dealing with personal information. These include, for example, restricting access to the data, training personnel, physical and technological separation and protection of information, system recovery protocols, system breach protocols (including how to handle with ransom threats by hackers). 

Get expert legal advice on data protection and GDPR

It is hard to imagine a business operating today that doesn’t collect some form of data on its customers or website visitors. But the collection of data comes with clear obligations and a need to comply with relevant regulations like GDPR. It’s important to ensure that your business meets these obligations and avoids the (significant) fines that can be issued.

If you are unsure of your data protection obligations or your company would benefit from a review of your current policies and procedures, then seeking legal advice is an important step and can help to reduce your risks. We specialise in helping start-ups and high-growth ventures with data protection and GDPR compliance.

For a no-obligation discussion to discover how we could help your business, please contact us today.