Business Challenges: Privacy and Brexit
Changes to data protection laws: Be Prepared! Be Business Compliant! Or Beware!
What is the General Data Protection Regulation (GDPR)? After four years of negotiation, very significant changes to data protection legislation have been finalised. The General Data Protection Regulation (the “GDPR”) will come into effect on 25 May 2018. The GDPR will dramatically alter the way that data protection applies in the UK and will almost certainly remain in effect after Britain’s exit from the European Union scheduled for 2019. The aim of the GDPR is to create harmonisation of data protection rules across the single market. Historically there has been huge variance in the way that data protection rules have been implemented by member states and to an even greater degree how they are enforced. The UK has always been a light touch jurisdiction for punishment of data protection breaches when compared to countries such as Spain and Portugal. 1
Whilst the preamble to the regulation states its aim of ensuring that businesses can optimise the opportunities of the digital single market and benefit from reinforced consumer trust, for many UK businesses the effect will be increased compliance obligations and more severe penalties for non-compliance. All businesses must now focus on what the introduction of the GDPR will mean for their processes and legal documentation. Be Prepared! Businesses need to consider the changes required by the GDPR in order to be prepared for 2018. The key points below highlight notable concepts:
any of the existing core M concepts under current legislation will remain the same. However, the GDPR makes many important changes to the detail of EU data protection law.
The GDPR will apply to non-EU organisations if they offer goods or services to EU residents or monitor the behaviour of EU residents. Many organisations that are not subject to existing EU data protection law will become subject to the GDPR, especially online businesses.
Under certain criteria, the data subject (i.e. the consumer whose data is being collected) will have the right to object to their personal data being processed. These circumstances include where personal data is being used for profiling purposes.
Binding Corporate Rules (“BCRs”) are agreements used to lawfully transfer personal data out of the European Economic Area to jurisdictions where there are not adequate safeguards in place for the protection of such personal data. The GDPR formally recognises BCRs. They will (as now) require approval from the relevant data protection authority but securing these approvals should be more www.buckworths.com
Business Challenges : Privacy straightforward than under than the current system. Businesses should review their current procedures for transferring personal data outside of the EEA and keep these procedures under close review. Businesses should take into account the right of data subjects to have their data erased. The deletion of data is not always easy and in particular may adversely impact on the operation of internet platforms. Businesses should provide additional resources to ensuring the issue is manageable.
Data subjects also have a new right to obtain a copy of their personal data from the data controller in a readable format. All businesses should review their systems to ensure they can meet this new requirement in the strict timelines set out in the GDPR. Businesses established in multiple Member States should think about which single “lead data protection authority” they wish to be regulated by. Most businesses will only interact with their “lead DPA” on regulatory issues, and can avoid having to deal with multiple DPAs across the EU.
There is uncertainty regarding the relationship between the GDPR and other laws (eg the ePrivacy Directive). There will be further guidance issued in early 2017. Be Business Compliant! The final version of the GDPR was published on 4 May 2016 but the enforcement of the GDPR will not commence until 25 May 2018. This ensures a sufficient transitional period for businesses to become compliant with GDPR. The GDPR requires that businesses secure a higher level of consent than is required under the current rules. Such consent must be given by a clear, unambiguous, informed, affirmative indication of the office@buckworths.com
individual’s agreement to their personal data being processed. This includes by way of a written, electronic or oral statement. Businesses must also ensure that an individual can withdraw their consent at anytime. The consent must be as easy to withdraw as it is to provide.
Businesses must reply to individuals requiring copies of the personal data held on them within one month from the date of receipt of the request. The type of data that can be requested is now far broader than previously. Businesses should review current staff levels and systems to accommodate the new time frame. Businesses are now required to report data breaches to the relevant data protection authority within 72 hours of becoming aware of the breach. For most businesses, major changes to internal reporting structures will be required, including the recruitment of additional staff and material alterations to monitoring and reporting policies.
The GDPA imposes increased compliance obligations on data controllers. These obligations include the requirement to implement appropriate policies, keeping records of processing activities and including privacy by design and by default. Under the GDPR, data processors (as opposed to just data controllers under the current regime) have direct legal compliance obligations and data protection authorities can take enforcement action against data processors. As such, businesses who merely process personal data must now be extra careful to ensure that they are compliant with the GDPR.
Act. Currently, under national law fines are comparatively low – for example the UK maximum fine is currently £500,000. Further, the UK regulator rarely imposes fines and even then fairly moderate ones for very serious breaches. Any business that breaches the GDPR can expect maximum fines of up to 4% of annual global turnover or €20 million. The expectation is that fines will be towards the top end of the scale and that there will be little leniency for startups and small businesses. As start-ups will be aware, fines of this magnitude could easily lead to insolvency and closure. No business will be bulletproof when it comes to the compromise of personal data, therefore it is essential that businesses are prepared to adapt to the changes or prepared to pay severe penalties.
Buckworths are now working with clients to undertake detailed reviews of their privacy policies, internal compliance and reporting processes to identify weaknesses and any lack of compliance with the GDPR. These reviews, and implementing any weaknesses found as a result, take time. Businesses may need to go back to their customer base to get new consents for certain activities and may need to consult with staff on policies relating to processing of their personal data. Companies may also need to negotiate changes to existing customer and supplier contracts particularly where personal data is transferred as part of the agreement. Focusing on these challenges is early to avoid businesses finding themselves non-compliant when the GDPR comes into force. BE PREPARED! BE BUSINESS COMPLIANT! OR BEWARE!
Beware! The Regulation will enforce much tougher penalties in comparison with the current Data Protection 2
Business Challenges : Brexit
Brexit The Prime Minister has declared that “Brexit means Brexit” and apparently we intend to “have our cake and eat it”. But nobody really knows what any of this means. There is extensive debate in the press between those who want a “hard Brexit” and those calling for a “soft Brexit” with the presumed difference between the two being whether or not the UK retains access to the European Single Market. For all businesses operating in the UK, the position of the UK postBrexit and in particular, whether or not the UK will retain unrestricted access to European markets and whether European citizens will be able to live and work in the UK, are of vital importance. What will Brexit look like? Businesses operating in regulated industries including financial services, bio-tech and med-tech within the EU are currently able to “passport” their regulatory authorisation into other EU states with minimal additional obligations. This saves such firms from having to apply for authorisation in each member state and allows UK firms border free access to all EU markets based on their UK authorisation. In the worst case scenario, critics of Brexit claim that a “hard” Brexit by the UK could result in the withdrawal of passporting rights with disastrous results for businesses in those sectors in particular. However, the likehood is that no such wholesale withdrawal will occur, at least in the medium term. This is because legislation across most regulated industries allows passporting where there is equivalence of regulation between the state of origin and the EU. The best example is with financial services.
office@buckworths.com
In the event that the UK revoked its membership of the EU and made no attempt to negotiate a new deal with the EU, UK financial services businesses would lose automatic guaranteed access to the EEA single market and corresponding rights of freedom of establishment and movement. However, the EU operates a framework which allows financial services businesses established in jurisdictions outside of the EU (so called “third countries”) to access EU markets in certain circumstances. The UK would become a third country for these purposes on Brexit. Access to EU markets for financial services businesses in third countries is conditional on them satisfying several requirements. These include the business being properly authorised and regulated in their home country, and the regulatory regime (including in relation to anti-money laundering, taxation and financial crime) being equivalent to the EU regulatory regime. Whether or not UK financial services businesses will be able to access the EU market will therefore depend on how closely the UK regime remains to that of the EU. Presumably, at least at first, the regimes would be remarkably similar (assuming the UK government grandfathers existing EU rules into UK law). However, care will need to be taken to ensure that the UK regime does not subsequently change with the effect that it ceases to be equivalent. Additionally, with each new piece of EU legislation governing financial services, there will need to be a negotiation between the UK and EU on how equivalent any UK implementation is and whether therefore UK financial services businesses should be entitled to automatic passporting going forwards.
What risks does Brexit present? Risks vary by business sector. As set out above, for fin-tech businesses, the biggest risk relates to whether they will continue to be able to passport their regulatory clearances to other European countries. The likelihood is that they will be able to do so as the most-likely scenarios governing the post-Brexit deal allow some form of passporting at least in the medium term. For med-tech and bio-tech businesses, the withdrawal of parallel legislation for drugs and medical appliances poses a significant risk to their ability to trade with Europe postBrexit. For these businesses, the prospect of being required to comply with multiple regulatory regimes appears to pose a very significant business risk. However, the likelihood is that the UK and Europe will maintain parallel regulatory positions for the medium term and that the main issue may well be the imposition of tariffs, a problem that can be resolved in part by the incorporation of a European subsidiary.
For other less regulated businesses, there are two big questions: whether tariffs will be imposed on the export of goods to the EU and whether businesses will in the future have to comply with both European regulations relating to their industry as well as new regulations in the UK. By way of example, toy manufacturers currently have to manufacture to a single European standard in order to sell in all member states. PostBrexit, the European standard will remain for sale into the EU but presumably the UK may develop a different standard that will also have to be complied with.
4
What should we be doing? Since the referendum, Buckworths have been busy ensuring that we are best placed to advise clients on Brexit management. We have developed a monitoring team which keeps us abreast of Government policy announcements. We have created a Dublin-based team which can set up branches for our clients to ensure that they are able to trade within the EU post-Brexit. We have developed specialist knowledge of the options for fintech, med-tech and bio-tech clients seeking to passport into the EU as non Member State regulated businesses. We offer detailed Brexit reviews to our clients which identify the 5
risks to their business posed by Brexit and propose solutions to manage and reduce those risks. For many startups, the creation of a European subsidiary is an easy way to manage risk whilst simultaneously offering opportunities of expansion. Completing a risk review and beginning to structure any solutions will be increasingly important for businesses over the next 12 months. Investors (and in particular VCs) already see Brexit as a significant risk factor when investing in early stage businesses. Companies seeking investment will need to demonstrate not only that they understand the risk but that they are taking active steps to hedge against such risk and to ensure that their business is as
immune to cliff edge changes as possible.
Setting up European structures (whilst maintaining any existing tax reliefs such as SEIS and EIS) will take time. Clearances may be required from HMRC and other regulators, tax registrations may take time and analysis on pricing and invoicing policies may be involved. Clients should not ignore Brexit and should not wait for a final deal to be announced by the Government. It is likely that business will face a cliff edge transition regardless of the statements coming from Government. To avoid business interruption and significant potential losses, clients should begin to structure for the world post-Brexit now. www.buckworths.com
Buckworths 2016 in Numbers
17
234
number of clients supported during 2016
number of events hosted
1959
number of people who attended our events
ÂŁ4,409,998.36
amount raised by biggest investment round
6
number of awards won
ÂŁ54,067,341.00
aggregate amount raised by our clients
51
number of investment rounds advised on
141
number of companies incorporated
1,449
number of followers on Twitter
23
number of countries in which our clients are based
29
number of court hearings attended
169
number of filed confirmation statements
2,384
number of letters received
34 number of registered trademarks
1
law firm specialising in high growth businesses