How The GDPR Affects Businesses

Published on Jun 24, 2021

The General Data Protection Regulation (GDPR) has significantly impacted business operations since it came into force. Organisations have a clearer understanding of what personal data they hold, how it is used, and who has access to it. Privacy management has become a core function led by a dedicated Data Protection Officer (DPO) who reports to the board and whose role is to monitor compliance.

Requirements to notify the relevant supervisory authority within 72 hours of detecting a data breach where there is a risk of harm encourage proactive preventative measures and ensure accountability. Meanwhile, transparency around information handling practices increase trust, shorten sales cycles, and add value to the brand.

History Of The GDPR In The UK

The GDPR came into force on 25 May 2018. At the time, it applied to all 28 EU Member States, including the UK. Then on 1 January 2021, the UK left the EU, and transposed most of the GDPR into domestic law. While the GDPR and the Data Protection Act 2018 have been part of the regulatory landscape for over three years, many businesses are still unsure of their compliance responsibilities, particularly after Brexit. Recent research reported in Infosecurity Magazine conducted by CrowdStrike confirms this:

  • 1 in five businesses (22%) were unsure whether the GDPR still applied following Brexit.
  • Only 42% of businesses that have suffered a data breach made a report to the ICO within 72 hours as required by the GDPR.
  • Although 67% of respondents believed they were prepared should a data breach occur, only 36% have specific protocols in place to deal with the fallout of such an event.

How GDPR Applies To UK Businesses After Brexit

Following Brexit, there are now two versions of the GDPR. The UK version, known as the UK GDPR, and the EU GDPR, which applies in the European Union. For businesses operating in the UK dealing with UK or EU personal data, this means the UK GDPR applies, and vice versa. However, while it is true to say that companies have broadly the same obligations, an additional layer of complexity now exists:

  • As the UK is now a third-country to the EU, UK-based companies operating in the EU will need to appoint a local representative to act on their behalf, unless they operate from a dedicated subsidiary organisation located within the EU that is registered with a supervisory authority.
  • Similarly, businesses operating in the UK from third countries, which now include the remaining 27 EU Member States, are also required to appoint a local representative or operate from a dedicated subsidiary organisation that is registered with the Information Commissioner's Office (ICO).

Now that we've cleared up the impact of Brexit, we can turn our attention to how the GDPR affects businesses generally.

How GDPR impacts businesses

There are several ways GDPR impacts businesses and we've grouped them into four categories; responsibilities, penalties, reputation, and opportunities.

Let us examine these in-depth:

Responsibilities

The GDPR requires businesses to comply with many responsibilities, including:

  • Processing data fairly, securely, transparently, and lawfully.
  • Only storing data for as long as needed.
  • Obtaining consent or establishing a legitimate purpose for processing data.
  • Being able to action Subject Access Requests within the required time limit (normally 1 month).
  • Reporting a data breach to the relevant supervising authority within 72 hours.
  • Keeping personal data up-to-date and accurate.
  • Determining whether to appoint a Data Protection Officer (this may be a mandatory or voluntary appointment, or not necessary at all).

The above is only a selection of GDPR responsibilities, to achieve compliance, you will need to regularly:

  • Identify and map the data your organisation holds.
  • Review and amend policies and processes.
  • Maintain records of processing activities.
  • Develop a culture of privacy by implementing an ongoing training and awareness programme.
  • Include privacy considerations in all aspects of business, particularly concerning new projects.

Penalties

A breach under the GDPR is a serious offence for which the maximum financial penalties can be severe. Fines are divided into two levels:

  • Higher amount – up to £17.5 million, or 4% global annual turnover of the preceding financial year, whichever is higher. These relate to more serious violations of the GDPR principles, data breaches, or transfers of data to third countries.
  • Standard amount – up to £8.5 million, or 2% global annual turnover of the preceding financial year, whichever is higher. These involve a violation of the requirements placed on controllers and processors.

Note: The UK GDPR maximum fine amounts were converted from euros to pound sterling after Brexit, which is why they appear lower than €20/€10 million, which you may have read elsewhere - they can be found under section 157 DPA Keeling schedule.

Having two levels of fines forces controllers and processors to put policies and procedures in place to ensure compliance is achieved. It also provides an incentive for businesses to review and update their privacy and data protection framework regularly. This approach discourages large corporations, or any business for that matter, from simply ignoring GDPR compliance and paying a fine in the event of a significant data breach.

Not all GDPR infringements result in a fine. Data Protection Authorities such as the ICO have several alternative actions they can choose instead; these include:

  • Issue a warning or reprimand.
  • Issue (assessment, information, or enforcement) notices.
  • Impose a temporary or permanent ban on data processing.
  • Order the rectification, restriction, or erasure of data.
  • Suspend data transfers to third countries.

Reputation

The fallout from a data breach is not only financial, organisations can also suffer reputational damage. However, looking at the impact on share prices for several publicly listed companies following a high-profile data breach, heavy share price falls appear to be temporary. This is partly down to how well organisations handle their incident response and also down to investor fatigue.

More significantly, organisations can face long-term consequences from the loss of customers and sales. A 2019 study showed that 44% of UK consumers claim they will stop spending with a business for several months in the immediate aftermath of a security breach, and 41% of consumers claim they will never return to a business post-breach. Furthermore, reputational damage from data breaches can hinder a business from being able to attract and retain the best talent. Employees want to work for ethical companies and have shown they are now willing to protest to bring about policy changes.

Opportunities

For all the negative press about potential fines and the increase in compliance obligations, the GDPR presents many opportunities for proactive companies. Implementing a privacy framework for GDPR compliance requires organisations to examine what personal data they have, how it is used, who has access to it, on what systems, where it is stored, how it is secured, and how long it is retained.

The introspective nature of this analysis can often lead to operational efficiency improvements that would otherwise never take place. Putting effective GDPR compliant policies and procedures in place illustrates not only where processes can be streamlined but how good governance can be implemented to improve data quality and cut out duplication.

What To Take Away

Customers and highly skilled employees are attracted to companies that take their privacy and data protection seriously. The GDPR provides organisations with an opportunity to develop trust and confidence with customers and service users, employees, and other stakeholders.

If you need further evidence that robust GDPR compliance is good for business, a 2021 study showed organisations with mature privacy practices are getting higher business benefits than average and can swiftly handle new and evolving worldwide privacy regulations. Furthermore, 35% of companies reported they received benefits at least two times greater than their investment in privacy and data protection compliance - that’s £2 back for every £1 invested.

Discover more about data protection and privacy law training, please email us at contact@freevacy.com or call 0370 04 27701.

Click your chosen course below to see our next available courses dates

Freevacy has been shortlisted in the Best Educator category.
The PICCASO Privacy Awards recognise the people making an outstanding contribution to this dynamic and fast-growing sector.