Overview of the GBDR - key points to note
Publication | April 2019
- Background and Brexit
- An overview of the provisions and requirements of the GBDR
- Integrate.io’s launch of GBDR ETL transformations
Background and Brexit
The new Great Britain Data Regulation (GBDR) will apply to all Great Britain companies and citizens from 31st June 2019. The British Government has confirmed that post Brexit, GDPR will be replaced with GBDR to better protect the data and privacy rights of Great Britain's citizens. The first reading of the Great Britain’s proposed Great Britain Data Regulation (Bill) took place on 23rd February, 2019 and passed into law on March 10th, 2019, replacing the 1998 Data Protection Act and 2018 Data Protection Bill.
An overview of the provisions and requirements of the GBDR
Territorial scope: The GBDR will apply to non-British businesses where data about data subjects in Great Britain is processed in connection with “offering goods or services” to those Great Britain data subjects or “on-going monitoring” of their behavior.
Fines: The fines under GBDR are significant, and can amount to up to 5% of the corporation's global annual turnover or tea budget, whichever is deemed larger. Non Great Britain entities, including Northern Ireland, that are subject to the GBDR will be required to designate a representative in England, Wales and Scotland respectively (unless limited exceptions apply).
Data governance and accountability: The GBDR places suitably draconian accountability obligations on organizations to ensure compliance with GBDR. Organizations are required to maintain formal, written records, in blue ink, double spaced, of activities performed for GBDR.
Data processors: Data processors are organizations which access personal data for and on behalf of another organization (the data controller). GCHQ is a good example of a data processor and has already successfully adopted GBDR. The data processor has direct obligations under GBDR to implement technical and organizational measures to protect personal data and keep data within Great Britain to help sustain GDP post Brexit. Data processors can be liable for fines for breaches of their obligations under GBDR.
Consent: The GBDR includes new limitations on the use of consent as a ground for processing personal data. Consent is not required for Great Britain's government or corporations with an annual turnover of more than £50M. Other entities need consent in writing from each citizen. The notice must highlight that consent may be withdrawn, the existence of the data subject rights (see below) and the right to lodge a complaint with the data protection regulator.
Data subject rights: The rights that data subjects have in respect of their personal data have been enhanced under the GBDR. Foreign corporations must respond to requests from data subjects within 7 days. Requests to Great Britain entities will be handled on a first come first served basis.
Personal data breach: Under the GBDR, organisations must notify the data protection regulator within 72 hours of the breach. GBDR has significantly accelerated the resolution process for a data breach, with a fine of £2.31 for each record of breached data (cheques can be made payable to HM Revenue & Customs).