Following Boris Johnson’s announcement that the UK must prepare for a no deal Brexit, privacy expert warn that this could cause businesses to face fines in the million. The announcement means that the recurring nightmare of GDPR and data migration will once again be on the agenda for businesses. This will especially be the case for businesses that have taken their foot off the pedal over the last two years, believing that their work was done on this front. Even despite COVID-19 leniency, fines from EU watchdogs have been in the millions. These businesses could be next if they don’t act now.
With Boris Johnson today saying that the UK must be prepared for a no trade deal with the EU, the question of data migration becomes urgent again for businesses everywhere. Both the EU and the UK government have suggested, however, that a deal could still be done. But with the outcome of the UK-EU Brexit trade negotiations is still uncertain, and two-and-a-half years after the GDPR came into force, businesses must now return to the challenge of understanding their data flows.
Action is going to be especially important for organisations that might have taken their feet off the pedal over the last 30 months, thinking that their work was done. Moreover, some watchdogs, such as the ICO in the UK have issued only limited fines and even pledged leniency during the COIVD pandemic, which could have lulled organisations into a false sense of security. It’s important for those businesses to recognise that action will soon lie in the hands of international watchdogs, many of which have been more willing to bare their teeth.
Since the introduction of GDPR, EU data regulators haven’t been shy to flex their enforcement muscles for GDPR non-compliance. Even taking COVID-19 leniency into account, recent fines have remained in the region of millions of Euros/Pounds. Brexit could be a painful reminder to some organisations that evidencing data compliance is high on the agenda of many, if not all, of the European Data Regulators, and not a one-time exercise.
Even if a broader UK-EU trade deal is agreed, then the UK may still not receive a positive adequacy finding for some time which will have an immediate impact on the free flow of data from Europe to the UK. Understanding the lifecycle of personal data, including geographical flows will become mission critical to ensuring the compliant use of personal data for all businesses operating in Europe.
And, in the event that a deal is agreed, the work around data diligence is seldom wasted. As we saw two-and-a-half years ago, those companies that embraced the opportunities offered by the GDPR to drive business and process transformation to get the very best from their personal data will be the real winners post Brexit.