Brexit Beckons, but what about GDPR?
With March 29th rapidly approaching we are still in Brexit limbo. Currently, the UK stands to leave the EU without the Prime Minister having been able to get her withdraw deal through the Commons. This week’s votes in Parliament are crucial. We already know MPs have again rejected Theresa May’s deal. Is no-deal a real possibility? Or, by Thursday 14th, will we simply see stalemate, delays and an extension to Article 50?
Wish as we might, there is nothing the general public can do to affect the results. The impact of Brexit is huge, and we are helpless. If you’re in the B2B marketing world you might feel a bit of déjà vu. This time last year we were in a similar position; quaking in our boots about another impending piece of legislation. The GDPR caused immense instability, uncertainty and insecurity. The world of data protection was in turmoil. Those of us who had thoroughly prepared came through the maelstrom quite happily and are still here to tell the tale. However, we’re starting to wonder if there are more challenges to come when Brexit and GDPR combine, particularly when one considers that we might be reassessing our approach to Brexit from outside the EU!
What happens with data protection in a no-deal situation
No-deal might be unlikely, but what if it happens? An article in Finextra considers what the implication of GDPR might be in a post-Brexit world. The article suggests that “In the worst-case scenario, the EU would no longer automatically confirm the UK as meeting adequate standards for data protection — and the UK would fall to “third country” status. Data could not flow from the EU to the UK unless British companies established legal safeguards, such as Standard Contractual Clauses, to remain compliant on data security.”
The ICO has issued guidance on 6 steps to take to prepare for data protection compliance if the UK leaves the EU without a deal. Elizabeth Denham, UK Information Commissioner, states “At the moment personal data flow is unrestricted because the UK is an EU member state. If the proposed EU withdrawal agreement is approved, businesses can be assured that personal data will continue to flow until 2020 while a longer-term solution can be put in place. However, in the event of ‘no deal’, EU law will require additional measures to be put in place by UK companies when personal data is transferred from the European Economic Area (EEA) to the UK, in order to make them lawful.”
The Brexit Clock Is Ticking; it’s time to be even more proactive on data protection
In February, the European Data Protection Board (EDPB) met for its seventh plenary session where it adopted two information notes. These notes offer guidance on data protection issues in the event of a no-deal Brexit and more information can be gained here in an article by Technology Law Dispatch. The authors suggest that “The guidance in EDPB’s information notes provides a level of certainty in a very uncertain time. The EDPB has provided clear, practical steps for businesses to take to ensure that personal data can transfer freely in the event of a no-deal Brexit. As things currently stand, the UK will leave the EU on 29 March 2019. We therefore suggest that, in light of the EDPB’s guidance, you start to conduct an internal review of your data transfer mechanisms sooner rather than later.”
What should you do next?
If we exit with no-deal, UK companies will need to reassess their GDPR policies and procedures. With GDPR becoming a sort of ‘global standard’ for data protection, we need to consider how we would need to work with the rest of the world, not just with Europe. It makes sense to review data protection processes in advance of March 29th, not only does it mean you’ll be ahead of the eight ball, you’ll also be presenting a clear message that data protection is a priority to protect customers, partners and suppliers alike. Before you get too worried, keep the faith, we dealt with this in 2018 and we can deal with it again!