Will Brexit impact GDPR and data protection rules?
Now that the UK’s decision to leave the EU has had a chance to sink it, the consequences for how the continent continues to do business together comes into question.
As important, is the question of how the UK will deal with personal data from the EU? In a data-driven world, any change in the way we transfer data can have a domino effect on business continuity and ultimately the economy.
When the Safe Harbour agreement was abolished by the European Court of Justice, governance of data transfers between the US and EU was left in limbo. Many companies were quick to offer their own “guaranteed hosting” solutions for the EU, before politicians on either sides ink dried on new regulations, which took the form of the Privacy Shield.
The question of data transfer now that Brexit has come to fruition is of even greater significance for companies who have dealings with the EU, and are already trying to deal with the new EU data protection law; the General Data Protection Regulation (GDPR). Coming into effect in January, most IT professionals will be aware that the GDPR involves more than a tweak to existing procedures. According to a survey that we conducted last year, three quarters of UK companies say that keeping up with data protection regulatory requirements will cost them financially. Achieving compliance involves all the departments involved in gathering, handling, processing and storing data to come together to use new tools, technologies and training.
Faced with this already complex compliance landscape, it is understandable for companies to worry about how much more complicated everything will become with the UK leaving the EU. Will the UK adopt a data protection regime that’s more onerous than its current one? Even with the referendum votes in, businesses should still make plans that work for both scenarios.
With Brexit becoming a reality, the UK will be governed by a different data protection regime, but wwill still need to comply with data protection measures to do business with the EU. In this situation, many of the current GDPR requirements should still stand. “GDPR is going to affect UK businesses offering any type of service to the EU market, regardless of whether your business stores or processes data on EU soil,” said Chiara Rustici, independent GDPR analyst.
With this in mind, businesses should stay on the course of preparing for GDPR, which should be well underway. However, with this being said, companies need to continue to consider how different scenarios might play out. The framework that is put in place needs to be flexible enough to adapt to a changing regulatory landscape. To paraphrase Donald Rumsfeld, the GDPR is a “known known,” the Brexit alternative is still a “known unknown,” even after the vote, but there are other “unknown unknowns” that will impact infrastructure design decisions, so companies should institute all changes with the understanding that the changes may need changes.
To ensure that you are prepared, no matter how the outcome continues to play out, here are five steps that should stand your company in good stead:
- Consent: re-thinking and re-designing sign-up procedures and configuration settings for explicit content should be top of the list
- Personal Data: individuals can object to the use of personal data for profiling, specifically in direct marketing. Any tracking of users requires clear, unambiguous consent and describe every step including where, how and what data is sorted
- The Right To Be Forgotten: this requires a system where users can review data, request rectification and have the option to withdraw earlier given consent
- Moving personal info: moving personal data from one provider to another is going to involve common use standards and access to services from a well-designed API
- Pseudoymisation: the latest buzzword in privacy-enhancing techniques ensuring non-attribution, meaning that data needed for attribution is not stored with transaction data
As the UK starts to figure out what Brexit means for the country, getting ahead of the game with your data protection policies will be worth the time no matter how regulations and business with the EU changes.
By Michael Hack, SVP of EMEA Operations at Ipswitch
Read the July EURO 2016 issue of Business Review Europe magazine.