Brexit’s implications for data and privacy

Clare Hopping

Tuesday 13 September 2016

With the UK set to leave the EU in the next few years, how will organisations need to change their data and privacy strategies to ensure they’re running their businesses legally?

The news that the UK is set to leave the EU by 2018 took many people by surprise, not only because it will have an impact on how businesses can trade with other EU-based companies from a financial perspective, but also, from a data and privacy point of view.

At present, data is protected under the Data Protection Act 1998, which means companies have an obligation to use data fairly and lawfully, for limited, specific purposes. In addition, it should not be kept longer than absolutely necessary and must not be transferred outside the European Economic Area without adequate protection.

However, just a few months ago, the EU came up with a new set of rules – the General Data Protection Regulation (GDPR) – that are much tougher when it comes to protecting customer data, especially when that data is moved outside its country of origin.

These new guidelines are set to come into force in 2018 – when the UK is scheduled to leave the EU, leaving its data privacy legislation up in the air.

It would seem the UK government has two options: to agree to follow the EU’s GDPR proposals, or to come up with its own set of guidelines concerning customer data privacy with the hope Brussels will agree with what’s put forward.

Using the EU’s GDPR

If the government decides all companies should adhere to the GDPR – that includes clauses to ensure explicit consent is given before they can collect data, that it isn’t transferred outside of the EU and that regulators hold the power to govern data even more closely than it is now – it would also mean the EU-US Privacy Shield must be respected, too.

If any organisation is found not to be safeguarding their data securely enough and a data breach occurs, they could be fined up to four per cent of their global revenues – a considerable price to pay if you’re a small business.

Although this is positive for consumers who will have the reassurance their data is secure, it could have a negative impact for smaller businesses that don’t have the resources or budget to keep on top of data governance. This means the government may need to help with grants or similar rewards to ensure small businesses are protected.

Developing our own set of rules

If the government opts to develop its own regulations, it would be wise to develop them along the same lines as the GDPR and Privacy Shield to ensure they do not hinder trading relationships.

The Information Commissioner’s Office (ICO), the UK’s regulator of data privacy, is supportive of this alternative model, meaning the UK is able to set its own legislation, without any disruption from the EU.

However, to allow the free trade between EU countries, laws must be similarly stringent as the GDPR, and the UK’s history with surveillance practices, spearheaded by Theresa May, could hinder the UK’s chances of having an alternative set of regulations approved.

What will happen if we ignore the situation?

If we don’t agree to the principles of the GDPR, or develop our own set of rules to govern data, it might be harder for UK companies to do business with the rest of the EU.

What is clear is that the government, and specifically the ICO, will be leading the quest to ensure business is impacted as little as possible, while maintaining free trade between the UK and rest of the EU.

“With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial to businesses, organisations, consumers and citizens,” Christopher Graham, the ex-head of the Information Commissioner’s Office explained before he was replaced by Elizabeth Denham.

“The ICO’s role has always involved working closely with regulators in other countries, and that will continue to be the case.”


Building the next-gen data centre

Where traditional and web-scale apps co-exist