GDPR Post Brexit
GDPR – Does it still apply to me and my business?
Why the need for regulation?
In our rapidly evolving digital landscape, where data has become the cornerstone of business operations, safeguarding the privacy and rights of individuals has gained paramount importance. The General Data Protection Regulations (EU GDPR), implemented in May 2018, represents a significant milestone in the global effort to protect personal data. The regulations not only empower individuals, with greater control over their data, but also places considerable obligations on businesses to ensure compliance.
UK GDPR refers to the adaptation and continuation of GDPR in the UK post-Brexit. After the Brexit transition period ended on 31 December 2020, the UK maintained its own version of data protection laws closely aligned with GDPR, in the form of the Data Protection Act 2018.
Which data protection regulations apply to me?
If you have a UK business and process personal data relating to individuals in the UK, then UK GDPR will apply. If you process data relating to UK individuals in the EU, or process personal data in the UK relating to individuals who are based within the European Economic Area, then both EU GDPR and UK GDPR will apply.
What do I need to think about?
All organisations that collect personal data should ensure that data subjects can review their privacy policy, which needs to set out a number of measures including;
• The categories of data the business collects,
• The lawful basis for processing
• Data subject rights,
All businesses should also have an internal privacy policy relating to the collection of employee data. If personal data is passed to any third-parties in the operation of the business then a data processing agreement may be required.
Do I need to appoint a DPO?
If you run a business with more than 250 people, then you are required to appoint a formal Data Protection Officer (DPO) and register this person with the Information Commissioners Office (ICO). If your business does not reach this threshold, you are still required to appoint someone internally who will be responsible for data protection. This must be a person with sufficient knowledge, seniority, and autonomy within the business.
What happens if I don’t comply?
The ICO regulates data protection and monitors compliance in the UK and has the authority to conduct audits and inspections. Non-compliance with GDPR can result in significant fines and penalties, making it crucial for businesses to understand and adhere to the requirements of the applicable regulations to ensure the protection of individuals’ privacy and avoid legal consequences.
If you have any concerns over current procedures and policies in your organisation it would be wise to seek professional advice.
Victoria Darvall
Associate Solicitor
Corporate and Commercial Mogers Drewett