The British Prime Minister has said that although the UK will pursue an independent data protection policy, it’s “business as usual for data protection” until the end of 2020.
SureCloud explains why Brexit should act as a reminder for organisations not to get complacent about data protection. The ICO is still handing out fines and, with the UK data protection law expected to remain aligned with the GDPR, there is no doubt it will be the organisations that are already compliant with the GDPR that will be best prepared for what’s to come next.
UK Gov has remained consistent from the outset of the Brexit announcements that they will keep parity with GDPR in UK law after Brexit. Now that we have exited that and have reverted to the 2018 Data Protection Act, which enacts the principals of the EU GDPR into UK law and issued an additional statutory instrument to cover the transition period.
With regard to data transfers, the UK has moved from an EU member state into a ‘third country’ designation. This won’t make any real difference to organisations until the end of the transition period this year. After that period if the EU Commission does not recognise the UK as being adequate, then all transfers with the EU will require additional safeguards or companies to meet approved codes of conduct such as privacy shield.
‘Adequacy status’ is about demonstrating to the EU that the UK is safely processing data, so they do not need to be restricted. Although the UK has been operating under the rules of GDPR, it will not be automatically afforded this status. The difference between the DPA 2018 and GDPR are minor but maybe enough to prevent that adequacy status. Unfortunately, this will likely be used as a political tool rather than in the spirit of GDPR and may criticise things like the Investigatory Powers Act 2016 which the EU views as giving the state too much power to violate privacy.
Organisations need to prepare for the worst case, that the UK will end the transition period with a ‘third country status’. UK to EU transfers are under UK law, and the UK government has stated that it will remain unaffected. EU to UK transfers will need to prepare for a no-deal future with Standard Contractual Clauses (SCCs) which are EU-approved data protection clauses.
Brexit is highly politicised, and the EU may seek to ensure that the world (and particularly the other EEA countries) see that the UK feels the pain of exiting. My advice to UK businesses who need to process EU subject data is to read up on the derogations for third countries and start bringing in the standard contractual clauses. The ICO has templates available.
For those thinking that the heat is off outside of GDPR, think again. The ICO has the same powers and is demonstrating it’s used through enforcement, and still holds the number 2 spot for the largest GDPR fine (British Airways 2019). Also, the UK is in the top three for data breach notifications to regulators meaning UK citizens are exercising these powers. What we may find being outside of the EEA is the EU supervisory authorities coming after the UK again for political reasons.