GDPR and Brexit

The introduction of the General Data Protection Regulations (GDPR) in May 2018 altered the way companies in the UK and EU collect, process, and store personal data. The following highlights the changes which the GDPR has introduced and the potential effects of Brexit on data handling.

GDPR Key Changes

It is important that you are aware of GDPR key changes and how to implement GDPR. To help you with this, we have summarised the key points:

There is an increased territorial scope – it applies to all companies that process personal data of people residing in the union, regardless of the company’s location.

You must give data subjects more information when you are collecting their personal data.

There are new regulations for gaining consent to collect personal data. Both consent and explicit consent now require clear affirmative action.

The age barrier for collecting data is rising from 13 to 16.

You must delete data that you are not using for its original purpose.

People can revoke their consent to data processing at any time, and it must be easy for them to do so. More control must be given to the data subjects.

You have 72 hours to notify data breaches to regulators, unless the breach is unlikely to result in a risk to data subjects.

There is a single national office for complaints.

Large data controllers must appoint a Data Protection Officer.

If you do not comply with the GDPR, you could face fines of up to €20,000,000 (roughly £18,000,000) or 4% of your total global annual turnover for the preceding financial year.

Fines and Breaches

2019 has seen proposed fines of £183m and £99m handed to British Airways and Marriot whilst Facebook suffered a £500k fine in late 2018. Overall, in the first nine months there were 206,326 cases of GDPR breaches across 31 EU countries.


The GDPR applies to anyone who processes the personal data of EU residents. This means that, whether your business is small or international, you must comply with the new regulations for secure collection, storage, and usage of personal information.

Whilst the GDPR is an EU regulation, UK businesses must still comply with the new regulations even if there is no data collection from EU members. This is because in 2018 the GDPR regulations were made part of UK law, forming part of the Data Protection Act 2018.

GDPR Obligations on SMEs

Article 30 of the GDPR distinguishes between the obligations placed on companies such as Facebook and those placed on SMEs employing fewer than 250 people. Nevertheless, SMEs must bear the following stipulations for GDPR in mind:

If the processing carried out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as defined in GDPR Article 9 then the GDPR will affect small businesses under 250 employees.

Any breaches in data security must be reported immediately to data protection authorities such as the Information Commissioner’s Office (ICO) which is responsible for enforcing GDPR in the UK. Ideally, breaches should be reported within 24 hours if possible but at least within 72 hours.

Individuals have more rights dictating how businesses use their personal data. In particular, they have the ‘right to be forgotten’ if they either withdraw their consent to the use of their personal data or if keeping that data is no longer required.

It is also possible for individuals to sue companies for breaches to recover not only material damages, but non-material damages such as distress.

Marketing and Awareness

The GDPR was introduced to give consumers more visibility and control over how their personal data is being collected, processed, and stored. The Right to Access allows consumers to confirm with companies what data is being collected from them and how it is being processed.

You may have noticed recently that many businesses currently in possession of your data have had to re-confirm your consent as a preventative measure to protect against GDPR breaches. In the new climate of data protection, the awareness of consumers means that re-permissioning consent will likely result in a significant reduction of subscribers. This is illustrated by Henley Festival who saw their subscribers drop from 24,000 to 8,000.

This risk may be an unnecessary one if your company already possesses one of the six legal bases to process data other than consent. Deputy Commissioner of the ICO, Steve Wood, has busted the myth that fresh consent is required to comply with GDPR so think carefully before putting your database at risk.