We complete our list of top 10 tips to prepare for data protection laws when entering UK and EU markets.
There are a range of data protection practices your company will need to get to grips with if it is planning to expand overseas to operate or sell products in the EU or UK market. These are incredibly important to address early in the expansion process – and prioritize.
Failure to address data protection laws in the UK or EU can lead to fines as high as 4% of worldwide turnover or fines up to €20 million for breach of the General Data Protection Regulation (GDPR) – and £17.5 million for breach of the UK GDPR – or whichever is higher.
There are also positive reasons for putting good data protection practices in place earlier: for example, good data protection practices can be a valuable feature for customers and any potential company investors in the future. What other data protection considerations should US companies take as they look to expand internationally?
Check whether you need to register with a regulator
If you are expanding and forming a company in the UK that handles personal data, the company will need to register with the UK Information Commissioner. Failure to register can attract fines. In the EU, rules on registration vary between each Member State. We recommend checking whether this is requirement if your business is setting up a company in a Member State.
Do you need a data protection officer?
If your organization's core activities is around large-scale monitoring of individuals or you process a lot of sensitive or "special category" personal data then you might need a data protection officer.
Get your records ready
Under the GDPR and UK GDPR you are required to keep records of the type of personal data your organization processes and, if you are a controller – you make decisions about how to use the personal data as opposed to just using it to fulfill someone else's request (which would make you a processor) – you need to keep records on the lawful basis for having that data. These records should be detailed enough to include retention periods and provide a useful overview for the business.
Making and maintaining these records can be a big task, so it's best to start early (upon entering the EU and UK markets) to make this task easier to manage.
Check your security arrangements
While having good data security practices is always advantageous no matter what jurisdiction you are expanding from (a data leak can always mean logistical worries and bad PR), in the EU and UK, it could also mean fines. When expanding, its best to ensure that organization data security practices are in line with current recommendations and they are being implemented in the organization.
Does the organization have retention periods in place?
It is a requirement under the GDPR and UK GDPR to keep personal data for no longer than necessary for the purpose you obtained it. If you haven't already, you will need to consider how to delete personal data that you no longer need – and how these processes will be implemented in the future.
… And UK changes on the horizon
In addition to our 10 top considerations, data protection law in the UK may change in the near future due to Brexit. While at the moment the UK has almost identical data protection laws to the EU, the UK government has introduced a new Data Protection and Digital Information Bill, which, if and when passed into law, is likely going to lead to a number of changes.
Click here to download our two-page takeaway summarizing the top 10 tips.
Osborne Clarke comment
There is a lot to consider when expanding internationally, and, while data protection can sometimes feel like a large task, this can be made easier to manage by identifying what obligations apply to your organization earlier in the process of entering the UK or EU markets. This helps prevent a backlog of tasks which can often be more difficult, time consuming and costly to put in place in retrospect. In addition, failing to comply with aspects of the GDPR or UK GDPR (as relevant) can leave your organization exposed to the risk of fines or other regulatory action.
This concludes our series exploring 10 top data protection considerations for companies expanding internationally – the first part explored the first five areas that organizations should address.