GDPR and Brexit: just when you thought you had it under control…

For those of you who thought the GDPR was already overly complex (and judging by a recent survey* that could be one reason why over 50% of businesses still haven’t completed their compliance documentation) it could be about to become even more difficult when we leave the EU.

Deal or No Deal

What happens to data protection after 29th March?

The 2018 Data Protection Act and UK GDPR will apply. If we exit with a deal, existing arrangements are likely to persist throughout the “implementation period”, so if there are any changes, we will have time and notice to take care of them.

However, if we exit with no deal, we need to consider the implications of data transfers to and from EU. Personal data flowing from UK to EU/EEA will probably remain compliant from a GDPR point of view. However, for data flowing the other way around, (for example a European company operating in UK or having a UK subsidiary transferring data from Europe to UK), significant additional safeguards will need to be implemented.


A no deal situation would result in UK being categorised by EU as a 3rd Country, meaning it no longer has “adequate” data security standards as far as EU GDPR is concerned. The GDPR places restrictions on the movement of data under these circumstances (known as “restricted transfers”) and great care must be taken to establish the lawful bases for processing data in this way. The GDPR refers to a number of possible “appropriate safeguards” that may be adopted to make transfers legal, and separately eight possible exceptions that may apply.

This is a complex area, many organisations rely on “standard contractual clauses” between the data exporter and importer, which have been pre-approved by the regulators and specify security standards which protect the rights and freedoms of individuals. Larger, multi-national type organisations may also have Binding Corporate Rules in place to cover this. However, given the inherent complexity of these circumstances, it would be wise to obtain professional/ legal advice if personal data are transferred from Europe to UK post Brexit.


But doesn’t the UK already have the appropriate standards?

Yes! Given the UK (as part of EU) currently enjoys that status, it is likely that, over time, the UK will attain acceptance of adequacy from the European Commission. However, it has been reported that the UK cannot apply for this status until it has actually exited; and, although the EU has indicated it would consider the application quickly, no timeframe has been published and the decision would not be without detailed review. So, although these complications may only be temporary, they would need proper consideration and explicit action to ensure continued lawful processing of personal data.

What about businesses that don’t deal in Europe?

If you are only based in the UK and only offer goods and services in the UK, then there is likely to be little change; in practical terms, it would be wise to review your legal bases for processing to make sure they still apply and review your privacy notices to ensure they accurately reflect how and where you process and store personal data.

Brexit is not another excuse to put off compliance

Remember, regardless of the outcome of the impending Brexit situation, all UK businesses, including SMBs, will need to ensure they continue to comply with current UK data protection laws and, importantly, be able to demonstrate their understanding and compliance with the legislation.

Those that have not completed (or even started) their GDPR compliance cannot use Brexit as an excuse. There are a number of GDPR companies offering practical and affordable options for SMBs who need a little help, in addition a multitude of self-help resources are available for those adopting the DIY approach. Whatever your situation, GDPR should still be high on your agenda and the uncertainties over Brexit should not distract you.


*International Association of Privacy Professionals (IAPP) survey in December 2018, less than half of respondents said they are fully compliant with GDPR (Dec 18).

Please note: The views expressed in this article do not constitute and cannot be relied upon as legal advice and you may wish to seek independent legal opinion before acting upon any of the topics mentioned.

GDPR: A Flash in the Pan or the Calm Before the Storm

The deadline has passed and everything has gone quiet; or has it?

Yes, it may be quieter than some people predicted but let’s not be too complacent. In the three weeks since 25 May, the ICO has been very busy; according to their site they have made 10 advisory and/or audit visits, issued 18 decision notices and issued 3 enforcement notices (fines).

Of course, anybody who thought that swingeing fines would be making headlines by now was probably being a little unrealistic; investigations take a while to be conducted and judgements a while longer to be delivered – so don’t expect too many scary headlines just yet.  But that does not mean that they aren’t on their way; in spite of the ICO statements saying they prefer the carrot to the stick, Regulators tend to like the deterrent that attention-grabbing headlines provide.

What about the companies that are not yet compliant?

If you are one of these then the first thing to acknowledge is that you’re not alone; a recent survey by Apricorn ( in May 2018, noted that only 29% of respondents were confident that they complied with the GDPR. That leaves 71% still to complete – or still to start in some cases -their compliance work.

Whilst you may be able to take a little comfort in the ICO’s previous statement that it will consider favourably those that have started their compliance journey – the clear message is “keep the momentum or start now!” We’ve all been bombarded with GDPR emails about consent and privacy notices for weeks so there is no excuse for claiming ignorance and doing nothing!

You’re under the spotlight

It is very easy for anyone – your clients, prospects, suppliers and the ICO – to get an initial impression of whether your company is making an effort towards GDPR compliance. Firstly, they can check whether you have registered with the ICO – which publishes a register of data controllers that have registered and paid their fee; secondly, they can look at your Privacy Notice on your website, which will give a good indication of your understanding of your GDPR obligations together with details of PII data handling and security.

By the way – the ICO states on its website that non-registration of Data Controllers is a criminal offence and that there are fixed penalties for offenders – so you’d be advised to make sure you take the test on their website to see if you need to register as soon as possible. (Although at the point of writing this, the registration part of their website was not working!)

What will people do with their new data rights?

A recent article quoted a European-wide survey by Veritas, which found that 40% of consumers plan to make a subject access request within 6 months of May 2018. It is clear that consumers want to take back control of their data and intend to exercise their rights under GDPR. What is not clear is how (mostly larger) companies will cope with this deluge of requests for information, given they have just 1 month to respond and cannot levy a fee. And for smaller organisations the implication is clear – have robust SARs policies and procedures in place sooner rather than later.

If you are not yet compliant, here are 5 actions to consider now:

  1. Register with the ICO if you are a Data Controller (and not exempt).
  2. Update your Privacy Policy. Make sure you inform all users how you collect, use and manage their data.
  3. Conduct a data audit so that you have a record of what PII exists, your lawful bases for processing, who you share it with and how long you keep it.
  4. Ensure you have adequate data protection policies in place which demonstrate your commitment to data security. This includes your IT systems which should meet industry standards and be regularly updated.
  5. Document how you will respond to any Subject Access Requests— you may not get many but they can be very time consuming, so have clear procedures in place.

Author: Colin Jupe, VXPartners, June 2018


GDPR – Do You Need To Do Anything?


Remember all the furore over Y2K? Planes would fall from the sky, banks wouldn’t function, our personal computers would stop and so on; but in the end it seemed that many of the risks were exaggerated. So, one might ask “is all the hype over EU General Data Protection Regulation a similar over-the-top reaction?”

In short – NO!  – You need to act now!

Despite the thousands of column inches attributed to the implications of these legislative changes coming in to force on 25 May 2018, it is predicted that over 50% of SMEs and over 30% of large companies will be unprepared for the introduction of some of the most important laws affecting businesses’ sales, marketing and IT activities.

And just to be clear, these are not new guidelines – they are laws; and the maximum penalty for flouting them is Eur20m or 4% of worldwide turnover, whichever is the higher – easily enough to put many SMEs out of business!


Who Does GDPR Affect?

Every company that collects or processes personal data on a EU resident is affected. And the GDPR definition of “personal data” is much wider than the old DPA one, including, for example, monitoring the behaviour of EU residents by tracking their digital activities; effectively, that could include pretty much all companies’ websites and/or apps.  Also included are any data that can be used to identify individuals – personal and company emails, IP addresses or still or video images for example; so, it’s difficult to see which companies won’t be affected.


Sales and Marketing Take Note, It’s Not Just an Issue for IT and Compliance

GDPR is a fundamental change in the way that data collection and use is regulated. Historically we have been used to relatively straightforward laws and low levels of enforcement; GDPR probably has the most onerous personal data laws and penalties in the world.


Of course, that means enhanced compliance procedures and processes – not only are companies forced to apply the new laws, but they must also be able to demonstrate that they are compliant. This in turn has wide implications on IT for example how data are stored, indexed and transferred.


But equally important are the implications for Sales and Marketing, who will need to adopt an entirely customer centric attitude; many will need to completely rethink the ways they collect and use customer and prospect information, paying heed to the new, exacting requirements of consent and privacy.


What About Brexit?

“Won’t everything just get back to the old ways after we leave the EU?” ….NO!

Clearly, for companies wishing to trade in/with the EU, the new laws will be in force (and enforced). For others continuing to trade within Britain (or with non-EU countries), commentators believe cyber security and data privacy is so important that we’ll continue to adopt into UK law post Brexit the principles of GDPR.

Time is Running Out

May 2018 might seem like a long way away – but our advice is don’t delay – GDPR affects all companies that hold any personal data, assess whether you need external help and start planning now.


5 GDPR Steps to Take Now

  1. Know your data – Document what personal data you hold, where it came from and who you share it with.
  2. Consent must be explicit (and freely obtained) – Review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
  3. Privacy is key – Review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
  4. Individuals have rights to see manage and port data you hold on them – Check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
  5. Breaches can be costly – Make sure you have the right procedures in place to detect, report and investigate any personal data breach.

Colin Jupe       August 2017