Before I begin, I apologise in advance for using the B word. Even Sky News has shied away somewhat from mentioning Brexit, creating a special Brexit-free News Program. But it would be remiss of The Defence Works not to address the ol’ Brexit and data conundrum debate…but is Brexit and the GDPR a conundrum wrapped in an enigma, or nothing much to worry about?
Will leaving the EU make even the slightest difference to the way we have to protect data and adhere to data protection laws like the GDPR?
If you can cope with the use of the B word, please read on as I attempt to find answers on this pressing subject.
Brexit and Data Protection Are Not Mutually Exclusive
As far as we, as consumers and as businesses are concerned, leaving or staying in the EU should have little bearing on how we treat personal data. Any piece of information that can be used to identify us should be held sacrosanct. A Cybercrime Report from ThreatMetrix gives a useful insight into the situation regarding data and cybercrime. ThreatMetrix looked at billions of transactions, both mobile-based and online, and worked out that the data breaches we have seen in recent years are feeding data back into the cybercrime network. These data are then used to commit fraud by cybercriminals, either using a synthetic identity (i.e. mix and match data to make a new ID) or the real IDs themselves are being used.
This is happening across the world. And, according to the ThreatMetrix report across all industries. Stolen data opens up opportunities for further fraud. So, protecting data, regulations or not, Brexit or no Brexit, should be a fundamental part of any business.
Back to Brexit, where do we stand in terms of data protection? Does it matter if we stay or if we go?
GDPR if the UK Stays in the EU?
The EU data protection regulation the General Data Protection Regulation (GDPR) is arguably the world’s most comprehensive data privacy and protection law. It entered our business and personal lives in May of 2018, with a flurry of ‘opt in’ marketing emails from ecommerce accounts we had long forgotten we had signed up for. It has had a mixed reception, with Deloitte finding that only 35% of EU organizations are compliant with the data breach notification expectations of the GDPR.
The GDPR sets out a number of requirements to allow EU state citizens to control the processing of their personal data. Controls such as access to data, deletion of data, data portability, and so on. The regulation also expects various security measures to be used to protect personal data that is collected and processed.
If the UK stays in the EU, we automatically come under the umbrella of the GDPR as we will still be an EU state. If we do remain, any data that represents a UK citizen will come under the jurisdiction of the EU.
The GDPR sets fines as well, big ones. The largest to date was a fine of £44 million issued to Google by the French Data Protection Authority (CNIL).
Although I don’t have a crystal ball, we should probably expect to leave the EU at some point. So, let’s assume we are going to leave – what then for data protection and the GDPR?
If the UK Leaves the EU: Deal or No Deal?
If the UK leaves the EU, who will protect our personal data? Fear not, the DPA2018 is here!
The Data Protection Act 2018 (DPA2018) is a UK based data protection directive that is overseen by the UK’s Information Commissioner’s Office (ICO). The DPA2018 has many of the same provisions for data protection as the GDPR. The DPA2018 does differ from the GDPR in certain areas. For example, in terms of consent and minors, under the GDPR, consent must be given or authorised by a person with “parental responsibility” for individuals aged 16 and under. Whereas, the DPA2018 specifies that children aged 13 or over can provide their own consent.
The DPA2018 is great for internal UK data sharing concerns. Assuming the UK leaves the EU we still have to abide within the UK to the DPA2018. However, there may be complications when sharing data between EU countries and the UK.
In other words, the deal is the make or break in data protection ease of shift between EU state and not an EU state. The UK, deal or no deal, will have to create a contract between the EU for data sharing purposes.
Data Adequacy and the GDPR
The EU requires something called “data adequacy” when determining any data sharing contract between countries. In other words, are the data protection laws in a given country equivalent to the EU’s own data protection laws? This determines something known as an “adequacy decision”. This is integral to the GDPR and covered under Article 45.
Once the UK leaves the EU, we will become known as a ‘third country”. The result of this status is that the UK will go through various checks to establish an “adequacy level”. This is to ensure that any transfer of EU citizens’ personal data to the UK is compliant with GDPR privacy law.
In establishing this level, the commission will look at areas in the UK such as:
- the rule of law
- respect for human rights
- relevant legislation (DPA2018, for example)
- national security
- criminal law
This adequacy level will form the basis of the contract we have with the EU in doing any business between two states that is based on personal data.
No Deal or Not No Deal That is the GDPR Question
One of the reasons the GDPR came about was to create a more homogeneous data protection directive that covered all EU states. The UK came under this umbrella as an EU state itself. Now we are leaving the EU, we have to create our own contract between the EU and the UK to meet GDPR privacy regulations.
This is not the end of the world. It can be done, it is done elsewhere, the US-EU Privacy Shield contract is a case in point. Privacy Shield is a contract between the EU and the US to ensure that there is free data flow between US certified companies and the EU. But like any legal contract, a UK-EU data flow contract will no doubt be drawn out.
The alternative is for individual companies to create something called a Standard Contractual Clause (SCC). This may be a useful interim step while waiting for any country-wide contract to settle out.
And don’t forget, just because we are no longer in the EU doesn’t mean that we don’t have to comply with the GDPR. The jurisdiction of the GDPR has a long arm and Article 3 of the directive shows just how wide this scope is.
If you need further advice about the situation, the UK’s ICO has advice on a variety of Brexit scenarios for small businesses.