The imposition of GDPR and uncertainty surrounding Brexit has created a challenging environment for businesses in the U.K. Stricter regulations, stronger protections individual privacy, and heftier fines have left businesses with a stark realisation of their obligations under the GDPR. Plus, it appears that the data protection regime post-Brexit will impose additional challenges for businesses large and small, especially in the tech sector.
The Old World
Under the former regime, the Information Commissioner’s Office had generally not reached the maximum fine of £500,000. Most major breaches left companies paying between £250,000 and £400,000. Facebook was the last company fined under the old law (the full £500,000) which involved the improper sharing of over 87 million users without their consent. Thus, the impression most experts got from the ICO was that under GDPR they would only sparingly flex their enforcement muscles. This came as a relief, given the fines that business face under GDPR could reach up to €20 million or four percent of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Yet recent decisions issued by the ICO have radically changed the impression that they would be averse to administering hefty fines for data breaches.
In July of this year, the ICO issued a notice of its intention to fine British Airways an incredible £183.39 million after infringing aspects of the GDPR. Shortly after, Marriott International was informed that the ICO intended on fining it almost £100 million after their own data breach. This is a huge departure in scale from the previous fines, demonstrating that the ICO will not hesitate to use its new fining powers where it feels justified.
A Possible Explanation
The facts of each case could explain why the fines are so high. First, the number of people whose information was compromised was high. The British Airways gaffe impacted around 500,000 people, and Marriott released over 339 million records (although only 7 million British residents were affected). The length of time each breach lasted is a factor. BA’s lasted a fairly short time (from June to Sept 2018), while the Marriott system had been compromised since 2014 (though not discovered until last year). In both incidents, the type of details that were compromised probably impacted the fine: payment information, credit cards, passport numbers and dates of birth. All this could easily be used to steal someone’s identity and ruin their credit.
Both companies have indicated that they will be appealing the decision. Each has 28 days to make representations to the ICO from issuing its proposed fine. Thereafter, the regulator has up to 16 weeks to deliver its final verdict. Any fines that the ICO receives will return to the Treasury, although there has been some discussion in allowing the ICO to keep these funds to be used in its enforcement efforts.
The ICO’s annual report revealed that last year was a record-breaking year when it came to issuing monetary fines, with complaints doubling within the last year. Given the severity of the fines imposed on these major companies, even after cooperation and mitigation, it is understandable that some businesses are concerned about their exposure under GDPR.
Once – or if - the UK leaves the European Union (however that may happen), it will be considered a ‘third country’ under GDPR. This will mean that any transfers of personal data from the EU to the UK will be restricted transfers, subject to higher standards. A restricted transfer involves a transfer of personal data from outside the protection of GDPR, such as a transfer from Ireland to the United States.
A restricted transfer can occur only if it complies with Chapter V of the GDPR. This means that it must be covered by an adequacy decision from the EU Commission, where they determine that the legal framework in the third country is sufficient to protect individuals’ rights when it comes to processing their personal data. There are very few countries currently on this list. Some EU officials have warned that it could take years before an adequacy decision may be issued for the United Kingdom – even if the U.K. is fully adherent to the GDPR. The process to begin an adequacy decision will only start once the U.K becomes a third country. On average, the procedure takes 28 months.
Up until the UK becomes a country with an adequacy decision, the transfer must be covered by ‘appropriate safeguards.’ For businesses who have affiliates based in the EU, one option is to use binding corporate rules (BCR’s), which is an internal code of conduct for a multinational group. These BCRs must be approved by an EEA supervisory authority within an EEA country where a company is based. In the event of a ‘no-deal’ brexit, the ICO can no longer serve as a lead supervisory authority. For more details on this process, the European Data Protection Board has issued guidance for businesses.
In most cases, both parties will need to enter into the standard contractual clauses or model clauses, which have been adopted by the Commission. While they pre-date the GDPR, they are currently viable for use until the Commission updates them. With the exception of some additional clauses for business-related issues, these clauses cannot be amended or deleted in any way. In most cases, incorporating the model clauses to existing business contracts will be the best and easiest way to comply.
How to Prepare
The good news is that the UK government has advised that transfers to the EEA will not be restricted. Data flows from the UK to the EU will thus proceed under the status quo without the need to amend their practices even if there is a no deal Brexit.
The best thing businesses can do to prepare now is to first, ensure compliance with the GDPR. Even in a post-Brexit world, GDPR will be applicable, especially for any UK businesses that conduct business in the EU. After all, asserting compliance with GDPR is a commercially attractive trait. Though the regulatory burden on businesses is significant, companies can engender trust with potential clients in how they treat people and their data.
Next, businesses should review their existing security and data frameworks, and conduct an audit of contracts that may require additional model clauses. Check the language of the contract and ensure there is nothing which prohibits a transferral of data outside the EU. Review privacy policies and check that they are transparent in informing the data subject if their personal data will be passed out of the EU. Finally, the ICO has published a useful guide for small and medium sized businesses to get ready for GDPR post-Brexit.
MBM Commercial offers a variety of data protection services to help businesses become GDPR compliant. We provide audits and a monthly advisory service where we can be ‘on call’ to answer questions and provide template privacy policies.
If you would like to find out more about GDPR or MBM’s IP, Data and Contracts team, then please contact Andy Harris at firstname.lastname@example.org or on 0131 226 8208. Andy is a Partner and Head of MBM Commercial's IP, Data and Contracts team.