One of the most uncertain issues in the current political climate has to be Brexit. The past few months have been rather turbulent in terms of negotiations, and it’s still up in the air as to what will happen when the country leaves the European Union. But, one question on many businesses’ lips is ‘how will Britain’s exit affect GDPR?’
While we know that nothing is set in stone regarding policies and strategy, at Q2Q, we’ve decided to pen a short and easy-to-digest blog to give SMEs some clarity on the cloudy situation, and offer insight into what the temperature of the GDPR pool is looking like post-exit – whether it’s a deal or no-deal outcome.
A GDPR recap
Last year – on May 25th – Europe upped the ante on its data protection rules and introduced General Data Protection Regulation across all Member States. Essentially, this new legislation aimed to give individuals greater control over their personal information – any details that can be used to identify them – and changed the way in which companies across Europe could collect, process and store this.
As a result, all organisations – UK and Europe-wide – had to re-examine the way they handled their customer, employee and business partner data, to ensure compliance with the new framework.
But, what about Brexit?
So, many SME owners may be thinking – if we’re no longer in the EU, do these regulations even apply to us?
Well, to set a bit of context. When forming part of the EU, the UK benefits from the free flow of personal data between all Member States. However, after the UK’s departure, it will be classed as a ‘third country,’ meaning it will no longer be part of the bloc.
Yet, while it won’t intrinsically form part of the European Union, the UK will still have dealings with it – particularly where trade, intelligence and data security are concerned. And, in the case of the latter, the UK will have to prove to the EU that its data protection is of a suitably high level if the EU is to consider granting the UK ‘adequacy.’
Wait – so, what does adequacy mean? Well, the clue’s in the name.
The UK government has confirmed it will liaise with the European Commission to request a data adequacy agreement – ensuring the country is whitelisted – meaning the Commission is happy that the UK’s level of personal data protection is as robust and secure as the EU’s GDPR, and that it’s, well, ‘adequate.’
What does ‘No Deal’ mean for data?
Deal or no deal, once the UK leaves, the government intends to incorporate GDPR into state law – called ‘the UK GDPR’. However, if it exits without a deal, UK officials have stated that the country will still allow the free flow of data from the UK to other EU Member States, but it has no control over data transferring from the European Economic Area (EEA) into the UK– and, that’s where things become a little tricky.
If no negotiations are successful, UK SMEs should remain compliant with current data protection law and adopt other ‘safeguarding measures’ in the meantime. The Information Commissioner’s Office (ICO) has suggested that businesses which transfer data with EU Member States may want to introduce something called ‘Standard Contractual Clauses’ (SCCs) – essentially T&Cs which both UK and EU firms sign, to help protect personal data when it leaves the EU and is no longer behind the GDPR shield.
The ICO has published some advice for SMEs looking to determine whether SCCs are needed for their business and if so, how to choose the right ones.
Data in a ‘Deal’ scenario
If the UK leaves with a deal, data controllers won’t really notice any immediate changes to their responsibilities. The stream of personal data will continue to move without restrictionsbetween the UK and the EU, but it will then be up to the EU whether to grant adequacy status or not.
If the protection measures are deemed sufficient, then nothing much will really change – SMEs will be able to operate as they do now regarding the exchange of personal data across Europe.
So, given the transfer of data is one of the areas which is placed under the GDPR microscope, no matter the outcome of Brexit, it will be crucial for UK businesses to have security parameters in place where personal data is concerned, to ensure as little disruption as possible when the departure date arrives.
For SMEs looking for further advice on GDPR and Brexit, the ICO has many resources and articles for companies to access for free – including six key steps to take.