Everyone’s talking about the latest Brexit deadline and the implications of the UK actually leaving the European Union (EU).
There’s talk of economics and trade agreements, but data privacy isn’t exactly on the tip of everyone’s tongues. However, there are real issues regarding data privacy and Brexit to consider.
The General Data Protection Regulation (GDPR) is the EU’s main privacy law. It describes seven main principles regarding the “lawful processing of personal data.”
According to GDPR, processing includes the collection, organization, structuring, storage, alteration, consultation, use, communication, combination, restriction, erasure or destruction of personal data.
So if the UK is not longer a part of the EU, how will its citizens’ data be protected?
Basically, this is what will happen:
- The transfer of personal data from organizations within the EU to organizations in the UK will be subject to strict data transfer rules, as outlined by the GDPR. It will be the responsibility of companies in the EU to ensure data transferred to businesses in the UK are lawful.
- The UK will have to achieve adequacy status in order for data transfers to be legal. That means the EU has to find that the UK data protection system is equivalent to that of the EU’s GDPR.
- If the final Brexit deal contains a provision regarding data privacy and protection, the UK may be automatically granted adequacy status.
- It can take several months and up to several years for a country to reach adequacy status. The longer it takes, the more likely new restrictions for data transfers will come into play. Organizations should begin working with their EU partners now to construct a plan so that no disruptions will occur in March if there’s no provision for data privacy when Brexit becomes official.
How does this affect businesses in the UK?
If a company is already GDPR-compliant, not much will change, especially if that company doesn’t conduct business outside the UK. However, if your business has data that flows between the UK and EU, you’ll have to comply with EU and UK privacy laws and stay up to date about changes with both sets of regulations.
The UK government said it remains committed to data privacy. It already has regulations in place similar to the GDPR. As of now, though, nobody knows for sure if the EU will consider those regulations adequate.
The best rule of thumb for UK companies looking ahead to Brexit is to become GDPR-compliant as soon as possible, if they’re not already. This step will prevent any interruption in the flow of data in and out of that business.
Does Brexit affect U.S. companies?
In short, yes. Brexit does affect companies based in the United States.
Brexit has implications on the US-EU Privacy Shield. Once Brexit is official, the UK will no longer be covered by that agreement.
The Privacy Shield framework was designed by government officials in the United States and Europe to provide companies on both sides of the Atlantic clear guidelines of data protection requirements when transferring personal data from the European Union and Switzerland to the United States.
The framework was developed in support of transatlantic commerce. As trade and data privacy agreements are in flux during Brexit negotiations, your company should stay informed about this subject. If your company shares data with organizations in the UK, you should consider and develop strategies for potential changes or additions to the Privacy Shield framework now to avoid data privacy issues and interruptions to your operations down the road.
Top Three Brexit Tips
- Review your data inventories to understand cross-border transfers and how they affect your company.
- Determine if your vendors are prepared for Brexit. If they aren’t, develop steps to appropriately manage the situation.
- Stay close to news of future updates so you can easily determine any other changes you may need to make. After all, Brexit is still a fluid situation.
If you’re still unsure of how Brexit can impact your company and its data protection systems, contact us today for a complimentary data privacy consultation.