GDPR and Brexit after the triggering of Article 50 – clear truths and facts

There are some serious issues concerning the General Data Protection Regulation (GDPR) and Brexit since the triggering of Article 50 (Brexit). Discover what they are and why you need to get better informed now or bear the (expensive) consequences. A no-nonsense overview.

The potential consequences of Brexit have been feeding media outlets for a long time now. Since Theresa May formally triggered the so-called Article 50 to start the process of leaving the EU, this is even more so with often highly emotional reactions.

We are likely to continue to see stringent data protection in an independent UK rather than a watered down version of GDPR (John Culkin, Crown Records Management)

Brexit has also led to uncertainties regarding the impact of Brexit on the GDPR (General Data Protection Regulation). Here is what you MUST know about GDPR compliance business strategy and Brexit.

People and businesses who are affected by Brexit have a lot on their mind. Yet, ignoring the GDPR text and its personal data protection rules would be a grave mistake as UK businesses also need to be GDPR compliant and avoid GDPR fines. In that sense we were pretty shocked to read about a survey, conducted by Crown Records Management, a leader in document management, information management and related areas such as document scanning, which has been doing some very solid work to help its customers become GDPR-compliant. We take a look at it and, more importantly, at the truths of Brexit and GDPR.

Brexit and GDPR - facts and realities

Alert: Brexit is not an excuse to stop GDPR preparations – as many do

Several trade media, including Information Age, reported on the survey by Crown Records Management, showing that close to a quarter (24 percent to be exact) is not preparing for the GDPR anymore.

Even worse: 44 percent of respondents, which by the way are IT and information management decision makers, believe GDPR will not apply for businesses in the UK after Brexit. Finally, the survey found that 4 percent of UK companies still needs to start preparing for GDPR.

To be honest at first we thought it was an April Fool’s joke but you don’t pull those on March 30th 2017 (when Information Age reported the data), do you?

A quick call to Crown Records Management in the UK taught us that the numbers are indeed correct, that there will be a white paper from Crown roundabout end April with, among others the findings and advice. As said, Crown Records Management has been very active in GDPR compliance and clearly continues to. The company offers services, white papers and webinars. In the Summer of 2016, Crown for instance organized a webinar with AIIM, the association of information management professionals, of which we’re a member too, entitled “Think Brexit Saves You from EU Data Regulations? Think Again!” (you can still watch and hear it, registration required).

Brexit and GDPR: the good news

Truth to be told: the UK has been preparing relatively well for GDPR until now and the work that has been done by organizations such as the UK’s ICO (Information Commissioner’s Office) is pretty massive.

We can even say that the UK has been outperforming some EU countries regarding GDPR preparations. Moreover, as the various sources which report on the survey by Crown Records Management state, we quote, “the survey revealed that seven in ten UK businesses with more than 100 employees have already appointed a data protection officer”, which by the way is only needed in specific circumstances as you can read in our article about the Data Protection Officer.

When talking with Crown Records Management we understood that, from a GDPR preparedness perspective, the same issues exist as we see them with talking with people on mainland Europe. The level of awareness, let alone preparedness, at some firms is sometimes shocking to hear.

Yet, those numbers found by Crown Records Management, keeping in mind that the survey was conducted AFTER Theresa May triggered article 50, as confirmed in our call, are even more shocking.

Facts and realities: why GDPR preparation remains critical for UK businesses, despite Brexit

Now about those facts regarding Brexit and the GDPR. Let’s sum a few of those facts – and reasons why not preparing is extremely dangerous – up.

Fact: the procedure for the UK to leave the EU is set in motion, period. Nothing to add there as we don’t talk politics here; it is what it is.

Fact: the territorial scope of the GDPR is clear.

Compared with the previous directive and, as reported on our GDPR page the GDPR comes with extra-territorial applicability. Simply said it applies to the lawful processing of personal data of EU citizens, regardless of where that processing occurs, with specific stipulations you see in the graphic below.

GDPR Territorial scope- subjects controllers and processors - when GDPR applies
GDPR Territorial scope- subjects controllers and processors – when GDPR applies

Fact: the GDPR will apply, unless the EU falls apart, the world explodes, UK businesses delete all data regarding EU citizens or stop doing business with the EU, whether the UK is in the EU on May 25th 2018 (when the GDPR becomes applicable) or not.

Fact: it is highly unlikely that the UK will be out of the EU by the time the GDPR de facto becomes applicable (it is expected that the Brexit will be finalized at the very earliest ‘somewhere’ in 2019, if not later).

Dominic Johnstone Head of Information Management Services Crown Worldwide spoke at an AIIM webinar or Brexit and GDPR - watch it here
Dominic Johnstone, Head of Information Management Services, Crown Worldwide, spoke at an AIIM webinar on Brexit and GDPR – watch it here

Fact: whether we like the GDPR and EU privacy rules or not: there are fines of up to 4 percent of annual turnover or €20 Million, whereby the highest of both is applied. You chose.

Fact: as John Culkin of Crown Records Management puts it in the press contacts he had about the mentioned survey:

“The reality is we are likely to continue to see stringent data protection in an independent UK rather than a watered down version. This means the best course is to prepare now and have a watertight information management system in place as soon as possible. This issue is not going away.”

Fact: no one has a crystal ball that actually allows seeing in the future (as far as we know) but it’s pretty unlikely that GDPR will not affect UK businesses.

It’s even more likely that the UK will implement (a form of) GDPR to continue doing business with the EU, once all the emotional stuff is – hopefully – gone and everyone comes back to his senses.

The latter might start by picking up those GDPR preparations again, Brexit or not, and to make informed decisions about GDPR compliance. The ICO, Crown Records Management and many many other organizations in the UK can tell you why and how.

Disclaimer: we have no commercial relationship or affiliation with any of the mentioned organizations. Although the content of this article is thoroughly checked we are not liable for potential mistakes and advice you to seek assistance in preparing for GDPR. Top image: Shutterstock – Copyright: donfiore – All other images are the property of their respective mentioned owners.