Brexit and your data: Are you ready for the new 2019 Data Protection law?

Just when you thought you had done all you needed to do about data protection, you should brace yourself, there are further change just around the corner. The reason is Brexit. 

In the event of a No-Deal-Brexit the Government has prepared new legislation which it has called the Data Protection, Privacy and Electronic Communications Regulation 2019, or for short, the UK GDPR. 

Yes, we are going to have our own version of the existing EU GDPR to ensure we can continue to process data separately from our Europe neighbours after we leave. The processing of data of UK citizens will be largely unaffected, with some technical amendments to any current policies and of course the mandatory need to ensure that UK based data subjects are aware of such change. But if you process the data of any European citizens then there are far-reaching consequences.

The main issue: Adequacy Decision

The main issue that many haven’t realised concerns something called Adequacy. The EU Commission awards an Adequacy Decision to countries that are considered a safe haven for personal data, places that are considered to have a high standard of Human Rights, maintain Political stability and have appointed Supervisory Authority to regulate data processing and uphold high standards of privacy. 

The UK which made a disproportionate contribution to the drafting of the original GDPR (The ICO  is the largest and best-resourced Supervisory Authority in the EU) currently benefits from an Adequacy Decision as do all other EU states but also Switzerland, Canada and Japan amongst a few others. This important stamp of approval ensures the free flow of data in a similar way to the free flow of people. It fuels trade and relinquishes organisations from the burden of red tape and the cost of implementing legally binding alternatives.  

What happens to data if there's a no-deal Brexit?

However, The UK’s problems may just be beginning on the 1st November if we crash out of Europe without a deal. This is because we will automatically lose our Adequacy as a non-EU country. 

We’ll apply to get it back of course, but these negotiations can only begin after we have left. This means that for the foreseeable future we will become a Third Country for Data Protection purposes and not considered adequate for processing non-UK Citizen’s data. The remedy will be a range of interim Safeguards designed to protect non-UK citizens and their data. These include things called Model Clauses, Data Sharing Agreements and the appointment of an in-Country representative (GDPR Article 27) to uphold the rights of all EU citizens wherever they live

Yes, you will need to find someone to stand in for you in every country in which you trade and don’t have an office or establishment. The paradox is that although the UK has stated that all EU countries will be recognised on the 1st November as Adequate from its viewpoint, the EU has not reciprocated. In simple terms, this means that you could send data from the UK to an EU state country such as France, but they would be breaking the law if they returned it to you without sufficient safeguards! 

Although the UK currently enjoys Adequacy, it doesn’t automatically mean we will regain our status and certainly not in the near future. There are hoops to jump through which is why it took Japan almost ten years to achieve theirs.  

Surveillance laws and GDPR

Amongst others, one problem concerns our surveillance laws. We have laws to enable our Government to snoop on us whenever it has a perceived need. So does the U.S. Europe however doesn’t and has long criticised such intrusive measures. It is anticipated that the EU will pressure the UK Government to change such laws amongst other requirements, in return for an Adequacy Decision.  We will watch with interest as this develops over time. 

Regardless of Brexit a recent survey by IT Governance revealed some startling facts about UK organisations and their compliance with Data Protection law. It reported that 79% of organisations are not compliant and fall short of their obligations. It seems this isn’t about an unwillingness to comply, but more about a lack of awareness. 

The research seems to suggest that in contrast to the high number of non-complaint organisations, only 25% of those questioned said they felt their knowledge of the GDPR could be improved. This is very confusing! But reveals the stark truth that most organisations are seemingly unaware of their legal responsibilities and remain vulnerable to enforcement action and reputational damage. Although most businesses wrote a policy or two last year, they haven’t fully implemented those policies into everyday business life.

The Information Commissioner has been loud and clear about this in recent times. She said that there is little or no evidence that organisations are Accountable for their processing of personal data as described in the GDPR Article 5(2), even though this is a mandatory requirement. Therefore, it is clear that there is still much work to be done and that compliance is a journey and certainly not a destination. 

Mark Burnett

Data Protection Officer 
Hope and May Ltd 

Join us every Wednesday for our "What's working best" social media insights webinars