Photo credit: https://www.bighospitality.co.uk/Article/2019/08/21/Beyond-Brexit-are-restaurant-supply-chains-ready-for-no-deal
Written by Steve Giachardi
On 25th May 2018, data protection moved from the
shadows into the spotlight. Suddenly, businesses of all sizes were at risk of
huge fines for failure to comply with the new law, marketeers were in fear of
contacting people without their consent, small businesses were rapidly adding
cookie warnings and privacy notices to their websites - explaining what they
did with your personal data, and larger companies were creating whole
departments to respond to an anticipated deluge of data access requests. The media
focus throughout the whole “GDPR is coming” furore was of course the massive
fines - €20 million or 4% of your annual turnover, whichever is greater… And,
lurking in the corner, was Brexit.
What will be the impact of Brexit on GDPR? Will Brexit mean
that GDPR will no longer apply?
The simple answer is nothing will change – at least for the
foreseeable future. GDPR will still apply to companies in the UK as it does to
all companies that are in possession of data belonging to EU citizens.
If the UK leaves without a deal, the UK Government has
prepared the EU (Withdrawal) Act 2018 (EUWA) which retains the GDPR in UK law. The
purpose of the EUWA is to ensure that the fundamental principles, obligations,
and rights that organisations and data subjects have become familiar with will
stay the same. The EU Withdrawal Act gives the government the power to make
appropriate amendments to ensure that GDPR works effectively in a UK context.
But what does this actually mean for your business? It’s all
very well understanding that the government has a bill that sounds like a Star
Wars character, but what impact will a no-deal Brexit have on your business?
Transferring Data – Inside and Outside the European Economic Area (EEA)
The UK Government has published guidance, stating the
following about transferring data between EEA (European Economic Area) states:
“The UK will recognise all EEA states, EU and EEA institutions, and Gibraltar
as providing adequate levels of protection for personal data”. This means that
personal data can be freely transferred between those states following the UK’s
exit from the EU.
For the transfer of personal data outside of the EU, this
will continue with countries or territories that have an existing adequacy
decision already in place such as Japan, Canada, Israel, and the United States.
Brexit will have no immediate impact on existing data
transfer between your business and your trading partners.
If you are an organisation that has Standard Contractual
Clauses (SCC) in place between you and your trading partners, these will
continue to be valid. There will be no need for an interruption in the flow of
data between organisations. Moving forward, the UK Information Commissioners
Office will be empowered to issue new SCCs, as opposed to the EU, after the UK leaves
the EU. But again, essentially, nothing really changes.
The biggest questions, I guess, are those around Data
Controllers / Data Processors. Will there be an impact on leaving the EU? Will
this change the status of my organisation? Again, the answer is no. The UK
Government states the “responsibilities of data controllers across the UK will
not change”. But the decision on whether your business is a Data Controller, or
a Data Processor, is still decided by establishing who determines what data
should be collected and what that data is going to be used for.
EU GDPR – Friend or Foe?
Interestingly, the EU GDPR has had an influence on data
protection regulations, especially relating to Personal Information beyond
Europe, and in a refreshingly good way. The UK Data Protection Act 2018 amendments
released last year aligned the privacy and data regulation with the GDPR. ISO/IEC,
the Swiss based International Standards Organisation, released an extension to the
ISO/IEC 27001 certification, ISO/IEC 27701 which focuses on security techniques
specifically around Personally Identifiable Information (PII). The extension
looks at the controls relating to both Controllers and Processors and the impact
of those controls on PII. The incoming California Consumer Privacy Act is
another piece of legislation that seems to take its lead from the GDPR.
The magic, or beauty, of the GDPR is that it transfers the
power from the organisation to the person (the data subject). In truth, the
exponential growth of the internet into every corner of our (working) lives has
happened with a zeal for the possible. The idea that data, especially identity,
would become more valuable than gold was unthinkable when the internet was
launched. We all created data back then - whether it was our first website, or
those posts in the text chat forums - we were leaving behind evidence of our
identity. Now, trying to regulate what happens with our data is very much
closing the stable door while the horse is galloping into the next valley!
The Power (and Responsibility) of Personal Identifiable Information
The attempt by the GDPR to rein in the use of PII, to
restrict what companies can and can’t do with the data that we, in whatever
capacity, share with them is to be welcomed. That it creates an unwelcome extra
level of diligence on organisations highlights that the correct governance and
procedures weren’t in place from the beginning.
The adoption of the internet has been fuelled by the
advances in the infrastructure that supports it. The whole new working paradigms
of Infrastructure, Software and Programs “as-a-service” has only been possible with
the spread of fibre broadband to reliably deliver these services. Office365,
Amazon Web Services, Google Cloud, Salesforce, Slack - none of these everyday business
programs would be possible without reliable internet.
All these services need your identity for you to be able to
access them. PII is the new firewall. Your identity is the edge. That’s why it’s
so important that companies take care of the usernames, email addresses, bank
details, national insurance numbers, driving licence numbers, and passport
numbers that we provide.
That’s why there’s a need for GDPR and that is why, after
Brexit, there will still need to be good PII protection by default in
organisations that deal with data belonging to EU Citizens.
Brexit changes nothing – for now, at least.