GDPR – What has changed with Brexit?
Only four years ago, firms were preparing to fully implement the General Data Protection Regulation. Since the end of the EU transition period on 31 December 2021, businesses have had to face a raft of changes. One of those is the switch from the EU’s GDPR to the UK GDPR. Although the EU Regulation was converted into UK law on 1st January 2021, and therefore mirrors the Regulation for the most part, there are some changes – and the potential for more - given that the law is now under the remit of the UK government.
Questions remain as to how compliant firms are with current data protection regulation. Historically, it is financial services firms that are hit hardest with the consequences of a data breach. Unsurprisingly, there has been a significant increase in personal data breaches over the previous 12 months, with cybersecurity issues accounting for the majority. However, IBM and the Ponemon Institute’s 2020 ‘cost of a data breach’ report found that an astonishing 23 percent of all data breaches were caused by human error.
The cost to firms is enormous, with the 2021 cost of a data breach report finding that in the UK, fines rose from £2.9m to £3.3m: the highest total in the 17-year history of the report. Ensuring compliance with the law is as important now as it ever has been, both in terms of avoiding fines and regulatory action, and in ensuring good outcomes for customers.
Post-Brexit the speed of change may be significantly faster than in the past. The UK government has mooted a new bill that will make changing and interpreting laws that were previously EU law much quicker. The 2021 consultation ‘Data: a new Direction’ suggests that areas for change might include the listing of processing that would automatically meet the ‘legitimate interests’ test, the reduction of the types of data breach that need to be reported, limits on SARs and changes to the requirements around Data Protection Impact Assessments.
So, post-Brexit, what do firms need to make sure they’re doing right?
Ensure transfers to other countries are compliant. The Financial Conduct Authority (FCA) is at pains to remind firms that the UK is now a third country in the eyes of the EU, meaning that awareness of how this might affect data sharing between the UK and EEA is vital. The UK follows similar protocol to the EU, and the EU Commission has published two adequacy decisions relating to the UK – expected to remain in place until June 2025 – which means that the UK provides ‘adequate protection’ for personal data transfers to the EU not relating to UK immigration control, and that UK firms can continue to lawfully send personal data to the EU, unless there is a change to the adequacy decisions.
The adequacy decision makes transfers between approved countries legal, however the UK GDPR means that firms wishing to transfer personal data outside of the UK or other approved country must make sure that data subjects will be given the same rights as they would in the UK. A Standard Contractual Clause is one way to do that. As of late March 2022, the ICO have updated the terms for UK based data controllers, through two means; the international data transfer agreement and the international data transfer addendum, which replace the old contractual clauses for international transfers. The documents are available on the ICO website.
Communication with customers is key. The rights enshrined in the GDPR remain in place, and individuals have the right to control who collects their data, what information is collected, how their information is used, and a right to have access to it. This means that firms must be able to demonstrate that they have given their customers the information they need to understand what is happening and how to make decisions and the ability to challenge processing or ask for their data to be amended.
Where there are any changes, tell customers so that they understand what is happening and why. Information should be communicated clearly and in plain language. Privacy Notices should be reviewed regularly and updated, particularly in the event of new practices or audits finding unclear communication.
Policy and Procedure. Robust procedures form the basis of the firm’s approach. Data Protection, Data Retention and Data breaches must be comprehensively covered. These documents are crucial in setting the standard for safeguarding information from cybercrime, corruption and misuse. As such, a regular audit of the success of the policies in practice makes good financial sense, saving time and money, while reflecting a conscientious approach to the regulators.
Educate staff on UK GDPR expectations. As an industry, Financial Services carries an enormous potential risk of harm to its customers. Data breaches can have significant consequences for consumers. Personal data in the wrong hands can lead to financial consequences and to distress. While the firm might be confident that policies are in place and that confidential information should be dealt with securely, one employee error can undo everything.
Ensuring that staff undertake regular training helps to ensure no weak links and that everyone within a firm is up to date on key changes, best practice, and what to do if things go wrong. External training can provide a fresh perspective on contemporary industry practices.
Our UK GDPR compliance resources provide everything that firms need to meet the legislative requirements. We also offer online training that interprets the requirements that all staff need to abide by in an easy to understand, relatable way. Priced at £20, the course is accessible at the user’s convenience and provides a certificate upon successful completion.
For large groups, we can offer a simplified enrolment service and pricing, simply email Robert.firstname.lastname@example.org.