GDPR and Brexit
GDPR has, and in many cases still is, exercising the minds and resources of many organisations. Process and systems are being changed to ensure that the GDPR requirements are met.
One of the big issues with this implementation is that despite the rules being known for some time, the GDPR actually became EU law on 14 April 2016, the need to implement changes to process and systems before it came into effect in May 2018 seems to have come as somewhat of a surprise to many resulting in a rush to become compliant.
So with there being a little less than a year before the UK leaves the E.U. it is perhaps wise to consider what impact that may have on the rules around data security and privacy so recently implemented by the GDPR.
Once the UK leaves the E.U. the fact that we have implemented the GDPR into UK law will no longer be adequate to ensure that UK data security and privacy standards are accepted by the EU. This will mean that another process / agreement will need to be put in place to ensure that data flows between the UK and the EU are not impacted.
The first possibility, and the preferred option, is that the EU and UK negotiate a data adequacy agreement. This would allow UK business to continue processing the personal data of EU citizens with little or no change from the existing requirements under GDPR.
So what is a ‘Data Adequacy Agreement’?
Data adequacy is a status granted by the European Commission to non-EEA countries who’s national laws provide personal data protection that is “essentially equivalent” to that provided in European law. Once a country has been awarded the status, information can pass freely between it and the EEA in the same way as it can now.
However the EU has expressed concerns that the Data Protection act 2018, the law that enacts the GDPR in UK law, does not fully meet the requirements they would need for a data adequacy agreement. For example, some of the exceptions in the act that allow data processing by law enforcement and security agencies may not be acceptable to the EU. Additionally, the EU have already raised concerns about the Investigatory powers act.
All of which may mean that the EU decides not to grant the UK Data Adequacy status. Even if such status is granted it may well be delayed beyond the point the UK leaves the EU.
In this case, to continue to process the personal data of EU citizens, UK business will need to adopt what are called “Binding Corporate Rules”. Businesses who wish to use this to continue processing personal data must demonstrate that their BCRs put in place adequate safeguards for protecting personal data throughout the organisation in line with the requirements.
Now obviously if you are already GDPR compliant, the EU version rather than the one enacted by the UK, then actually achieving that shouldn’t be too hard. However there is a requirement to get these rules ‘signed off’ by a ‘Lead Data Protection Authority’ Your choice of lead authority depends on the location of the EU headquarters of your company or the location within Europe of that part of your company best placed to take responsibility for global data protection compliance.
A good overview of this is given by the ICO, the UKs DPA, https://ico.org.uk/for-organisations/guide-to-data-protection/binding-corporate-rules/
However remember that once we leave the EU you will need to pick a DPA in one of the remaining EU states.
Hopefully this will not be needed and the UK will receive and adequacy decision from the EU however business need to be aware and begin making preparations for the event that no such agreement is in place by the time we leave the EU.