The General Data Protection Regulation (GDPR) is a framework for data protection laws that have been designed to give greater rights and protection to individuals. The primary aim of the GDPR is to give EU citizens control of their personal information and simplify the regulations for international business.
Even though the GDPR has been introduced for encouraging businesses to think more seriously about data protection, there are some harsh penalties that come with it for non-compliance. So, the question is, will GDPR affect your business in the UK and if yes, then how?
In this blog post, we discuss the impact of GDPR on UK businesses and whether Brexit will influence the regulation in the UK or not.
How GDPR affects UK businesses
All individuals, organizations, and businesses that either control or process personal information of EU citizens are required to be compliant with the GDPR. For businesses in the UK, this simply means that if you store or process any information that can be used to identify an EU citizen then you are required to be compliant with the GDPR.
What will non-compliance mean?
One of the most important aspects of the GDPR is its penalties. If you are non-compliant with any part of the GDPR then your business can be fined. For example, you can be fined if you do not process data about individuals in a correct manner if you do not appoint a DPO, if there is a security breach, or if you fail to meet any of the requirements of the GDPR.
The actual amount of the fine will depend on the type of violation but the fines can be as high as €20 million or 4% of your business’ global revenue, whichever is higher. For small and medium-sized enterprises (SMEs), these fines alone could lead to business being shut down.
GDPR anniversary: The Numbers
Ever since the GDPR became enforceable last year, people have not just become aware of their privacy rights but have continued to exercise these rights. A high number of complaints have been made in the last year to national Data Protection Authorities (DPAs) who are responsible for enforcing GDPR in their country.
As we approach the first anniversary of the GDPR, we take a look at the most interesting statistics that have surfaced since the GDPR came into effect on May 25, 2018.
- UK citizens registered the highest number of complaints (33,000+) to DPAs with roughly 50 complaints per 100,000 citizens.
- Businesses in the UK reported the highest number of breaches (11,000+) across Europe.
- An average of 42 breach notifications were sent by UK businesses to the UK DPA daily.
- More than 59,000 breaches have been reported across Europe since the introduction to the GDPR.
These statistics show how both citizens and businesses have now become aware of the importance of data protection since the GDPR was introduced. Citizens of the EU can now register complaints against businesses that may be exploiting their personal information.
If found guilty, this can lead to heavy fines and penalties being levied on the respective businesses. Consequently, businesses are now not only improving their information security but are more transparent about their security policies and processes as well.
Does Brexit affect GDPR?
The GDPR is applicable to all companies that store the personal information of EU citizens. In other words, it applies to you if EU citizens are your customers and you store their information digitally.
Before Brexit, the GDPR was not just applicable to all businesses in the UK, but it also protected the information of UK citizens. After Brexit, the GDPR will still be applicable to UK businesses but only the ones that store the information about EU citizens (or customers residing in Europe). The GDPR has an extra-territorial effect so non-EU countries (such as the UK after Brexit) will also need to comply with the regulation in order to avoid fines and infringements.
Furthermore, the UK has also replaced its 1988 Data Protection Act with the 2018 Data Protection Act which closely resembles the GDPR. What this means is that businesses in the UK will still have to comply with almost all the privacy and security requirements of the GDPR, even after Brexit.
Regardless of whether the UK remains inside Europe or not, the GDPR will be enforceable (on its own or through the 2018 Data Protection Act) on businesses in the UK. Therefore, our recommendation will be to become GDPR-compliant, if you are not already.
The GDPR is an extra-territorial regulation by the EU that aims to protect the privacy of its citizens. All businesses, inside and outside of Europe, which process the personal data of EU citizens in any way are required to be compliant with the GDPR. For businesses in the UK, this means that regardless of whether Brexit happens or not, they will need to meet the requirements of the GDPR in order to avoid hefty fines and reputational loss.
The process towards GDPR compliance is not a simple one, however. One of the most challenging tasks is to first assess your business’ information security and identify what areas need to be addressed in order to become compliant.
Apvera is a cybersecurity partner that helps businesses evaluate and strengthen their information security to meet the requirements of various compliance standards, including GDPR. We help you identify risks, understand your security posture, and drive you towards GDPR compliance.
If you are still unsure about whether you are compliant with GDPR and what your next step should be, get in touch with us right away.