There are two seemingly separate major events happening in the coming years that will impact on how companies process and store personal data of people living in the European Union. The first is the European General Data Protection Regulation (GDPR) which comes into effect in May 2018. The other is Brexit, where the United Kingdom and Northern Ireland will leave the European Union.
As it stands, the GDPR comes into effect next May and will apply to all EU member states. The United Kingdom will still be a member of the European Union at that time and therefore GDPR will also apply to it. In practical terms this means that companies in Ireland and the EU can continue to send and receive personal data to and from other companies within the UK and Northern Ireland.
However, once the UK leaves the European Union in March 2019 (the current date for Brexit to take effect unless this date is extended) then things may not be so clear. In effect, after March 2019 the UK will no longer be part of the EU and therefore GDPR no longer directly applies to organisations in the UK and Northern Ireland. However, organisations that are still within the EU will have to ensure that any personal data that they transfer, process, or store within the UK complies with the stringent privacy requirements outlined in GDPR.
To address this challenge, the UK intends to update its data protection regime to incorporate the goals of GDPR. In this year’s Queen’s Speech, it was noted how important data is to the UK economy and that “Over 70% of all trade in services are enabled by data flows, meaning that data protection is critical to international trade.” To reinforce the importance of this, the UK introduced the Data Protection Bill in August. This Data Protection Bill is designed to implement the goals and objectives of the GDPR into UK law so that the data protection regime within the UK remains in line with that of the EU.
The question remains though, will that be enough? Under current data protection law, and the upcoming GDPR, it is illegal to export personal data of people within the EU to countries outside the EU unless those countries are part of the European Economic Area, are recognised third countries by the EU with adequate data protection laws, or that there are other binding agreements in place such as the EU-US Privacy Shield or obligations built into contracts.
So, the big question then is will the UK be considered an acceptable Third Country by the EU after Brexit? While the UK believes the new Data Protection Bill will be sufficient for it to be considered a Third Country there are several other UK laws that could undermine this. Notably the UK’s Investigatory Powers Act of 2016 could prevent the UK’s post Brexit data protection regime to be considered robust and adequate enough for the EU. The Investigatory Powers Act has also been dubbed the snooper’s charter due to the wide range of powers given to UK security services such as the weakening of encryption, granting hacking powers to security services, and the requirements for ISPs to store the browsing history for all users for 12 months.
Of course, until Brexit happens and all the negotiations are concluded we will not know for certain what the data protection landscape will be like. Until then it is worth remembering a few points. First, GDPR will remain in effect within the UK and Northern Ireland until Brexit happens. Until then there is no need to make any notable changes. It would be prudent to start identifying what personal data is transferred to and from the UK and Northern Ireland, either directly by your own business or by your suppliers.
Until the UK leaves the EU, GDPR will still apply to those companies. Finally, keep an eye on how the Brexit negotiations are progressing with a focus on the data protection frameworks. If it looks like the UK Data Protection Bill will not be sufficient for the UK to be considered a third country, then you need to consider different legal frameworks, such as Model Contracts, to continue to use UK-based companies to process personal data. Alternatively, you may need to consider moving your business to companies located elsewhere within the EU.
GDPR and Brexit will potentially bring many challenges to organisations over the coming years, but proper planning, and keeping abreast of how talks regarding data protection post Brexit, will help keep on top of those challenges.
This article was written by Brian Honan and first published in the Irish Independent. Brian will be speaking at Independent News & Media’s Dublin Infosec 2017 conference on Wednesday 1 November. More details are here.