Wednesday 27 November 2019

Deal or No Deal Brexit |The Impact on EU GDPR

Photo credit:

Written by Steve Giachardi

On 25th May 2018, data protection moved from the shadows into the spotlight. Suddenly, businesses of all sizes were at risk of huge fines for failure to comply with the new law, marketeers were in fear of contacting people without their consent, small businesses were rapidly adding cookie warnings and privacy notices to their websites - explaining what they did with your personal data, and larger companies were creating whole departments to respond to an anticipated deluge of data access requests. The media focus throughout the whole “GDPR is coming” furore was of course the massive fines - €20 million or 4% of your annual turnover, whichever is greater… And, lurking in the corner, was Brexit.

What will be the impact of Brexit on GDPR? Will Brexit mean that GDPR will no longer apply?

The simple answer is nothing will change – at least for the foreseeable future. GDPR will still apply to companies in the UK as it does to all companies that are in possession of data belonging to EU citizens.

If the UK leaves without a deal, the UK Government has prepared the EU (Withdrawal) Act 2018 (EUWA) which retains the GDPR in UK law. The purpose of the EUWA is to ensure that the fundamental principles, obligations, and rights that organisations and data subjects have become familiar with will stay the same. The EU Withdrawal Act gives the government the power to make appropriate amendments to ensure that GDPR works effectively in a UK context.

But what does this actually mean for your business? It’s all very well understanding that the government has a bill that sounds like a Star Wars character, but what impact will a no-deal Brexit have on your business?

Transferring Data – Inside and Outside the European Economic Area (EEA)

The UK Government has published guidance, stating the following about transferring data between EEA (European Economic Area) states: “The UK will recognise all EEA states, EU and EEA institutions, and Gibraltar as providing adequate levels of protection for personal data”. This means that personal data can be freely transferred between those states following the UK’s exit from the EU.  

For the transfer of personal data outside of the EU, this will continue with countries or territories that have an existing adequacy decision already in place such as Japan, Canada, Israel, and the United States.

Brexit will have no immediate impact on existing data transfer between your business and your trading partners.

If you are an organisation that has Standard Contractual Clauses (SCC) in place between you and your trading partners, these will continue to be valid. There will be no need for an interruption in the flow of data between organisations. Moving forward, the UK Information Commissioners Office will be empowered to issue new SCCs, as opposed to the EU, after the UK leaves the EU. But again, essentially, nothing really changes.

The biggest questions, I guess, are those around Data Controllers / Data Processors. Will there be an impact on leaving the EU? Will this change the status of my organisation? Again, the answer is no. The UK Government states the “responsibilities of data controllers across the UK will not change”. But the decision on whether your business is a Data Controller, or a Data Processor, is still decided by establishing who determines what data should be collected and what that data is going to be used for.

EU GDPR – Friend or Foe?

Interestingly, the EU GDPR has had an influence on data protection regulations, especially relating to Personal Information beyond Europe, and in a refreshingly good way. The UK Data Protection Act 2018 amendments released last year aligned the privacy and data regulation with the GDPR. ISO/IEC, the Swiss based International Standards Organisation, released an extension to the ISO/IEC 27001 certification, ISO/IEC 27701 which focuses on security techniques specifically around Personally Identifiable Information (PII). The extension looks at the controls relating to both Controllers and Processors and the impact of those controls on PII. The incoming California Consumer Privacy Act is another piece of legislation that seems to take its lead from the GDPR.

The magic, or beauty, of the GDPR is that it transfers the power from the organisation to the person (the data subject). In truth, the exponential growth of the internet into every corner of our (working) lives has happened with a zeal for the possible. The idea that data, especially identity, would become more valuable than gold was unthinkable when the internet was launched. We all created data back then - whether it was our first website, or those posts in the text chat forums - we were leaving behind evidence of our identity. Now, trying to regulate what happens with our data is very much closing the stable door while the horse is galloping into the next valley!

The Power (and Responsibility) of Personal Identifiable Information

The attempt by the GDPR to rein in the use of PII, to restrict what companies can and can’t do with the data that we, in whatever capacity, share with them is to be welcomed. That it creates an unwelcome extra level of diligence on organisations highlights that the correct governance and procedures weren’t in place from the beginning.

The adoption of the internet has been fuelled by the advances in the infrastructure that supports it. The whole new working paradigms of Infrastructure, Software and Programs “as-a-service” has only been possible with the spread of fibre broadband to reliably deliver these services. Office365, Amazon Web Services, Google Cloud, Salesforce, Slack - none of these everyday business programs would be possible without reliable internet.

All these services need your identity for you to be able to access them. PII is the new firewall. Your identity is the edge. That’s why it’s so important that companies take care of the usernames, email addresses, bank details, national insurance numbers, driving licence numbers, and passport numbers that we provide.

That’s why there’s a need for GDPR and that is why, after Brexit, there will still need to be good PII protection by default in organisations that deal with data belonging to EU Citizens.

Brexit changes nothing – for now, at least.