24 January 2020
2020 will mark the UK’s exit from the EU. During this period of transition (which will end by default on December 31st 2020) a major part of the work the Government will have to undertake is to disentangle the country from the huge amount of EU regulation and law.
One of the major pieces of regulation passed over the last couple of years was the General Data Protection Regulation (GDPR) which was implemented with some fanfare in May 2018. Since its introduction the ICO has fined or threatened to fine a number of organisations huge amounts of money (up to £17million). This is seen a number of companies scrambling to ensure that they are adhering to the regulation with any data breach now under the spotlight of regulators, politicians, the public and media alike.
However, with Brexit now very much a reality, there remains some confusion as to whether UK companies will have to continue, or even start, to adhere to GDPR and other EU regulations. The simple answer is yes, certainly during the period of transition and even afterwards if businesses continue to collect data from the EU.
The only complication comes in the result of a ‘No Deal Brexit’. The UK Government has said in the event of such a scenario it would permit data to flow from the UK to countries in the European Economic Area (EEA), however, it has no control as to the flow of data from the EEA to the UK. A Brexit with a deal seems to be the only way that there is any kind of guarantee of the EU permitting data flowing from the EEA to the UK.
Businesses should not be fixated just on GDPR either, there are a number of other regulations that UK businesses have to understand and adhere to, certainly during the transition period. These include the PECR which covers marketing, cookies and electronic communications, eIDAS which covers ID and authentication and FOIA (which is the Freedom of Information Act 2000) and of course the Data Protection Act 2018 which controls how your personal information is used by organisations, businesses or the government. The Data Protection Act 2018 is the UK’s implementation of the GDPR. The complication with these regulations is that some have been transposed into UK law and so will continue after the transition period, whereas others haven’t (such as eIDAS) which means that they will cease to apply in the UK (unless there is a specific clause in the negotiated exit).
In all likelihood those regulations that are not currently transposed in UK law will be at some point in the near future and so ignoring the requirements of such regulations could put businesses at a disadvantage further down the line.
In many ways GDPR and Brexit has somewhat clouded the main point of regulations. Companies debating whether they should be compliant in the event of a No Deal have lost the point of GDPR which is essentially to ensure the security of the data which they handle.
The number of high-profile breaches over the last few years, plus the fines of at least threats of fines from the ICO post the introduction of GDPR has shown how such incidents are now very much in the public eye. Businesses should be looking, not whether they are or should be compliant with GDPR, but If they are as secure as they possibly can be; ensuring this will in all likelihood result in compliance anyway.
Another aspect of GDPR that businesses should be prioritising whether or not they believe they are going to be adhering the regulation or not, is the security of your supply chain. Essentially, it means nothing if you spend money and ensure that your security levels are high, if third parties and partners do not have the same level. Cyber criminals often target the partners and supply chain of their main focus of attack, as the weaknesses into the system are often all too apparent.
The high-profile nature of the implementation and the immediate action from the ICO in dealing out warnings and fines, in contrast to other regulations, has meant that businesses are under real pressure to adhere. Brexit has seemingly added a layer of confusion to this which in-turn has taken the focus away from the point of the regulation, which is the security of your customer’s data. Businesses need to ask themselves whether “are we secure” rather than “how does Brexit impact GDPR”.