GDPR and Brexit – have things changed for your business and data protection?
It seems like little time has passed since the panic over the implementation of GDPR back in May 2018.
The good news is that we all survived and as long as we are regularly reviewing the system we use, are compliant with the new data protection law (hopefully! If you’re unsure make sure you have a read of this blog on getting started with GDPR) but a question I’m regularly being asked now is, what happens to GDPR after we’ve left the EU?
Whatever your feelings about Brexit, the UK will be out of the EU from January 2021 and this may have an impact on how GDPR affects you as a business owner. It’s still unclear exactly what will happen, but hopefully, this blog will give you a bit of an idea of the things to be listening out for over the months ahead.
The UK is now in a Brexit transition period
Officially, the UK is in the process of leaving the EU and hasn’t left yet. That means all the EU laws still apply during this transition period until the end of December 2020, including GDPR.
The ICO is still enforcing GDPR and prosecuting businesses that aren’t compliant and have a data breach as a result. So, it’s of paramount importance that you keep on top of your data protection and stay compliant.
What happens after the Brexit transition period?
After 31 December 2020, UK GDPR will come into force as law changing from the present EU GDPR. That means there will in effect be one GDPR law for those of us in the UK and a different law for everyone else in the EU.
This means there is potential for the two laws to diverge in the future as case law heard in the UK, or the EU will prompt tweaks and changes to the appropriate law in that country. Essentially, over time our version of GDPR may start to look quite different from the EU version and become incompatible.
Negotiations are still ongoing regarding the laws we’ll retain in the UK from next year, and how the EU GDPR law is applied to us is one of them. There is a possibility that the UK will not be granted “adequacy” in terms of being able to protect data to the EU GDPR standard by the end of the transition period, and as such will become a “third country”.
Currently, the ICO is negotiating with countries to gain “adequacy status” meaning that our current UK GDPR standard is enough for them to consider us as data protection compliant for the transfer of data with 13 countries currently agreed under GDPR at the moment (and hopefully a lot more by the end of the year!). Those countries are:
- Faroe Islands
- Isle of Man
- New Zealand
- United States (for companies certified under the EU-US Privacy Shield – this could also change in 2021).
For any countries that we can’t get an adequacy status from, including the EU, it’ll mean that the UK is seen as a third country and we as business owners will have more work to do to be data protection compliant.
This will probably include introducing additional measures to safeguard data, including sub-contractual clauses and binding corporate rules. It may also be the case that you’ll need to register as a data processor with the relevant authority in the country you’re transferring data from/to.
If you work with clients in both the UK and the EU you will need to ensure that you comply with both and if your website is accessible in both regions again it will need to comply. If you are solely based and market in the UK you may want to look at restricting access to your business geographically to make things easier.
Don’t worry just yet though, a lot can change in the next few months and we’ll know much more in the autumn and winter about the particular changes to GDPR you’ll need to know about.
What about Google transferring data to the USA?
There was a bit of a scare in the business community when Google announced that it would be hosting data in the USA for UK based clients rather than Ireland, where it had been until now. There were a number of concerns that as the US has weaker data protection laws, our data wouldn’t be as safe as it is now, and this could make it difficult for us to remain GDPR compliant.
The reason Google decided to take this action is in case the UK becomes a third country when we do leave the EU. If the data was still held in Ireland, the EU, then it would be subject to both the EU GDPR and the UK GDPR, which could prove problematic. By moving UK data to the US, it’s covered under the UK GDPR laws now and into the future, ensuring that transfer of data can still go ahead regardless of our status with the EU.
However, this does now mean that you are relying on the EU-US privacy shield to protect your data and it isn’t as protected as it is in the EU. Therefore if you store any special category or children’s data with Google you will need to seek additional assurances and may also need written consent from data subjects – there are still things to clarify with regards to this so if you are using Google please ensure you are looking into how this will affect you.
What do I need to do now to prepare for UK GDPR in 2021?
You should know which countries the data you process is being stored and processed in. If you don’t, it’s a good move to do an audit now and find out! You should also identify if the data you hold is on UK, EU or other citizens and be clear on who they are so you can act should you need to protect their data differently.
Keep a close eye on the ICO’s guidance for small businesses and follow their advice. As long as you’re doing what they say and keep a record of their guidance, you should be ok.
I’ll publish a blog as soon as there is more definite information about any changes to GDPR that you’ll need to know about and implement, but for now, stay compliant with the current law and try not to worry about things that may or may not happen in the future!