The Brexit day is approaching fast, but there is no certainty as to whether or not the U.K.’s departure from the EU will be accompanied by a withdrawal agreement — or not. Data protection is just one of the many areas that will be affected by Brexit. And under a no-deal scenario, the impact of the U.K. leaving the E.U. becomes even more dramatic.
There are a number of questions clients are asking about the applicable data protection regime after Brexit day, and specific answers depend on firms’ size, the location of their branches and offices, the volume of international data transfers, and where their customers are located.
Keep reading if you want to know more about the three most common questions your peers are asking about Brexit.
If the UK leaves the EU without an agreement, can companies in the UK stop worrying about GDPR?
Technically, when the U.K. exits the E.U., the E.U.’s General Data Protection Regulation (GDPR) will no longer be law in the U.K. However — deal or no deal — the U.K. government has already made plans to adopt the “U.K. GDPR.” As the name suggests, this set of rules will be closely aligned to the existing E.U. GDPR and it will accompany the existing U.K. Data Protection Act of 2018. The combination of these two bills could potentially have stricter effects on the overall data protection regime than what firms in the U.K. experience today. In addition, firms based in the U.K. and who have customers in the E.U. or that monitor their behavior will need to keep in line with the E.U.’s GDPR, too. There are also areas where there might be no net-new rules, but U.K. firms will still need to make adjustments, which will result in additional measures for compliance. These are, for example, measures around international data transfers, accountability, new regulatory oversight requirements, the establishment of a E.U. representative, etc. In short, the GDPR will stop applying to the U.K., but what we are looking at is a regulatory landscape that is just about to become considerably more complex for U.K. businesses.
If the UK leaves the EU, the UK becomes a “third party” as far as data protection is concerned. What does this mean?
Yes, the day when the U.K. leaves the E.U., the U.K. becomes a third party for the purpose of data protection, and a set of restrictions will apply to international data transfer that involve the flow of personal data from and to the U.K. This topic is, in fact, one of the most impacted by Brexit. Firms must consider a range of possible scenarios depending on the direction and modalities of their data flows. For example, transfer of personal data from the U.K. to E.U. countries will be largely unaffected. For data transfers from the U.K. to countries outside the E.U., firms in the U.K. must look at rules contained both in the upcoming U.K. GDPR and the soon-to-be-adopted adequacy decisions. One of the most complicated issues, though, is about data transfer of personal data from the E.U. to the U.K. that is indirect — for example, those involving a third party such as a cloud provider. In general, on Brexit day, firms must stop these transfers unless certain safeguards or exemptions are in place. For example, the transfer might be based upon the safeguard of the European Commission’s standard contractual clauses or be subject to an exemption where that transfer is necessary to perform a contract. Binding corporate rules also represent an option. However, firms might also decide that storing or processing E.U. personal data in the U.K. is not a viable strategy, especially in the instance when an E.U. decision that recognizes the U.K. as “adequate” for the purpose of data protection is lacking. These firms might decide to invest in the creation of E.U.-based data centers or to work with providers that offer that as an option. They also might consider technical measures to secure those transfers: Anonymization of data before it is shipped to the U.K. might be a way of doing it.
What should firms do today?
The best thing to do today is to ensure that firms comply with existing data protection rules — namely, the GDPR and the U.K. Data Protection Act of 2018. While the regulatory landscape will be undoubtedly more complex, it will remain largely consistent with the existing one. However, our data suggests that only half of U.K. organizations are compliant with GDPR. Hence, I would strongly advise firms to accelerate the execution of their compliance strategies. With Brexit in mind, firms must understand international data flows of personal data. Key transfers to identify will be from the E.U. to the U.K. They should prioritize remediation of transfers that involve large volumes of data, transfers of special-category data or criminal convictions and offences data, and business-critical transfers. Investing in the appropriate measures to ensure that these transfers are lawful is essential. They should also look at existing privacy policies, data protection impact assessments, data subject rights, and measures to demonstrate accountability as areas that will require further adjustments.
Common themes include transparency, data protection, and analyst integrity. Only in this way can other data-centric businesses start to adopt the basis for ethics now built into the medical and legal professions.
Enza Iannopollo, senior analyst at Forrester, wrote this article, which can also be found here.
The last paragraph was added by CDOTrends editorial for further clarity. The views and opinions expressed in this article are those of the author and do not necessarily reflect those of CDOTrends.