A large number of UK firms may become GDPR non-compliant after Brexit
SEPTEMBER 11, 2020
Many UK firms which do not have an EU-based location may become GDPR non-compliant when the Brexit transition period ends on the 31st December 2020. This is because many small to medium size organisations are unaware of the requirements stipulated in Article 27 of the GDPR.
What is Article 27 and why should UK businesses be aware of it?
Article 27 of the GDPR relates to “representatives of controllers or processors not established in the Union” and sets out obligations that organisations without a presence in the EU have regarding data on EU subjects. In short, if you use data on clients, customers, or prospects in the EU but you don’t have a presence in the EU, Article 27 requires that you must appoint an EU-based representative. Until the Brexit transition period ends, UK businesses are not in breach of the legislation but after the 31st December 2020 it is likely that many businesses will unwittingly become non-GDPR compliant. Failure to take steps to address non-compliance could potentially lead to substantial fines or class-action type lawsuits from data subjects in the EU.
Maintaining compliance after Brexit
The majority of UK based businesses will have taken some, if not all, of the steps required to ensure that their processes were updated in line with the initial implementation of the GDPR in May 2018. Many businesses will have hired expensive GDPR consultants to help them assess and update their systems and to train internal stakeholders. However, as the UK was still a part of the EU in the lead up to the activation date for the GDPR, it’s likely that many consultants will not have taken the time to highlight the legislation in Article 27. Afterall, the UK was an EU based country at the time and therefore had no legal obligation to appoint an EU representative, as it was already a part of the EU.
When the UK negotiated the withdrawal agreement and set the date for its exit (31st January 2020), it effectively activated what is often referred to as the “hidden obligation” of GDPR for UK based businesses. Previously, the obligation of Article 27 only applied to non-EU countries such as the USA, Canada and Australia (and only where businesses within those countries processed data on EU citizens but without an EU establishment). Larger organisations within countries such as these are less likely to be non-compliant because they are more likely to have a presence within the EU. Many small to medium size organisations, on the other hand, are highly likely to fall foul of this legislation, mainly because it is not very well-known and only likely to be drawn to the attention of business owners who have hired expert data protection lawyers to assess their infrastructure.
UK businesses concerned about non-compliance with GDPR after Brexit should therefore ask themselves, “am I continuing to use data on EU subjects after the Brexit transition ends but I don’t have a physical establishment within the EU?”. If the answer to that question is “yes” then it is recommended that the business owner should appoint an EU representative to maintain compliance.
Is this legislation likely to be enforced after Brexit?
The short answer to this question is “yes”, particularly in cases where companies experience a data breach and are found to be non-compliant after an investigation of the breach. The Information Commissioner’s Office (ICO) will continue to enforce GDPR after Brexit and failure to comply with the regulations could expose your business to substantial fines of up to €10M Euro or 2% of global revenues. You may find the ICO’s Brexit FAQs PDF a useful reference point.
Flor McCarthy is one of Ireland’s leading lawyers and a recognised expert in marketing. He has particular expertise and hands-on practical experience in privacy, data protection and GDPR issues for marketers. He is certified by the Law Society of Ireland in Data Protection Practice and lectures lawyers on data protection practice and compliance. He is managing partner of a multi-award-winning niche legal practice. He has been in private practice for over 20 years and has been elected by his peers to sit on the exclusive Council of the Law Society of Ireland, the governing body for Irish lawyers.
If you process data on EU or UK data subjects and appreciate that compliance with the GDPR is essential for risk management, data-security and customer-confidence in your international business and you feel that you are a good fit for our EU representative services please click the button below to schedule a free call with us today. Assigning an EU or UK representative for your business is a straightforward process and we’ll be happy to talk you through it.
During the call we’ll answer any questions you may have and we’ll go through our service in full detail so that you have a complete understanding of our solution and how it can benefit your business. We look forward to speaking with you.