The decision for the UK to exit the European Union has been taken, but characteristics of the EU will live on in the UK and at least in the short term so will legislation.
For those of us working in the world of data this includes the soon to be implemented General Data Protection Regulation (GDPR) set to come into force in 2018.
UK companies should prepare to comply with the new GDPR regardless of when Article 50 is triggered.
Businesses are understandably in a state of flux due to uncertainty in the market place but what is expected of us with regard to data protection as companies operating in Britain is relatively clear.
We will still be an EU member state when the GDPR comes into play therefore we will be subject to the law.
Of course, it’s important to mention that UK and the EU are linked by much more than the exit strategy under Article 50.
So, how UK positions itself after Brexit in relation to GDPR amongst other things needs to be determined and negotiated.
The implementation of the GDPR in 2018 may act as something of a wakeup call for hardline euro sceptics.
A key argument for the “Leave campaign” was that if the UK voted to leave the EU it would not have to abide by EU laws.
But the GDPR has a much further reach than its predecessor, the Data Protection Directive, and we should be under no illusions – the GDPR will apply to companies that sell services or monitor the behaviour of individuals within the EU.
So what next?
Assuming that no country is an island (at least economically), it is fair to assume that in some way the UK will continue to trade with the EU; but once Article 50 is triggered the UK could exercise various options when it comes to ensuring that trade and the free flow of data can take place.
Simply put; it could join the European Economic Area (EEA) or the European Free Trade Association, it could negotiate a series of bilateral trade agreements with individual or groups of countries within the EU, or (and this is only to cover all bases) choose not to trade within the EU anymore at all.
If the UK joins the EEA, under the current data protection directive businesses cannot share personal data concerning their employees, customers and suppliers outside the EEA unless the protection provided outside of the EEA is of an adequate nature.
This is achieved in four ways.
First, by the European commission deeming that a country is considered ‘adequate’; and second, by use of the model clause agreements between the exporting and importing parties.
Third, by the adoption of binding corporate rules by the importing party; and fourth, in a recent development in relation to exports of personal data to the USA, the importing party being a member of the Privacy Shield scheme.
It should be noted that the procedure for setting up binding corporate rules is quite arduous for businesses and can take some time to get approval.
Britain may be afforded the same status as other non EU member states such as the status that Norway and Iceland currently have.
This would mean it would be designated as akin to adequate under the GDPR. This would make data transfers somewhat easier, assuming the EU found the UK’s data protection regime to be adequate and rigorous.
However, the UK would still have to comply with the requirements of the GDPR which has stronger requirements than the EU Directives.
The downside is not insignificant especially for those who supported Brexit; being a member of the EEA requires the adoption of a large percentage of EU law.
The second and perhaps more viable solution is to adopt the Swiss model whereby the UK will negotiate a series of bilateral trading agreements.
To follow this model successfully the UK would have to be recognised as an ’approved country’, i.e., a country secure enough to share data with.
The UK will also not necessarily receive automatic recognition as an adequate country by the EU.
The Data Protection Act 1998 may need to be revised for the UK’s data protection regime to still be deemed adequate given the forthcoming GDPR.
The result could be the UK having to adopt the new GDPR, or at least adjusting its own data protection legislation to operate in a similar way to the new GDPR.
Data protection is bigger than Brexit
The GDPR will apply to UK companies that wish to provide goods or services to EU citizens or monitor EU citizens’ behaviour.
It is likely that the UK following its formal exit from the EU will legislate in a similar vein but regardless the only way to avoid having to comply with the GDPR is to choose not to trade with any businesses within the EU.
Failure to adopt appropriate processes to comply with this legislation will leave companies open to the increasingly large fines afforded under the GDPR, so businesses should be preparing to adapt to the legislation and not put compliance on hold.
What businesses should prepare for?
Companies holding data subject to GDPR will need to ensure they are ready for increased fines for data breaches, up to 4% of annual global turnover.
A “privacy by design” provision requiring that data protection is designed into business services.
Companies will need to ensure they are adopting measures to protect data right from the start of a client engagement, with explicit consent being obtained for the collection and processing of data.
In some cases the appointment of an independent data protection officer is necessary: in instances where organisations are public authorities, or where core activities of controllers, or processors involves the systematic monitoring of data subjects on a large scale, or where the core activities of an organisation involves the processing of special categories of personal data on a large scale.
A “right to be forgotten”. A data subject has the right to request the erasing of personal data. Companies will need to take steps to understand how they can comply with such a request.
Prohibition on data being transferred outside the EU without approval from the relevant supervisory body.
Companies will have to tighten up and strengthen their processes around personal data if they continue to sell or provide services or goods to EU citizens or are monitoring their behaviour.
What is clear is that as technology becomes more sophisticated it is very hard for legislation to keep up, and the current Data Protection Act is showing its age.
A lot will depend on whether the UK also wishes to be deemed an adequate country for the processing of personal data.
Some final thoughts
The Data Protection Act 1998, the UK’s current legislation on data protection is nearly 20 years old.
Technology and the use of data has moved on exponentially in that period of time and any legislation dedicated to ensuring the proper processing of personal data should as best as possible move with the times.
The European Union is seeking to keep up with such developments by the passing of the GDPR; the UK may well have to do something similar, for the good of keeping businesses and consumers’ personal data safe and also to show the wider international community with whom UK businesses work that we take the management of personal data seriously.
What this means for businesses is that data protection processes need to be strengthened.
Rigorous processes, policies, auditing and standards must be in place to ensure the protection of personal data now.
Sourced by Lawrence Ryz, legal counsel at Kroll Ontrack Data Recovery