General Data Protection Regulation (GDPR) , Governance & Risk Management , Privacy
UK's Brexit Transition Period: Keep Complying With GDPRPrivacy Rules Remain in Effect Pending Eventual Outcome of UK-EU Negotiations
As former U.K. Prime Minister Theresa May famously declared: "Brexit means Brexit." But what Britain's exit from the EU means for the nation's data privacy rules and EU-U.K. data flows remains to be seen.
See Also: How to Use Risk Scoring to Propel Your Risk-Based Vulnerability Management Program Forward
Here's what is known: After 47 years of being part of the European Union, the U.K. formally exited the EU on Jan. 31. The U.K. is now in a Brexit transition period set to expire at the end of this year. But that deadline could be delayed multiple times, as was the tortured process of the U.K. leaving the EU following the results of Britain's 2016 referendum on its EU membership.
"We have a new prime minister who seems to see data protection as more of a political issue."
During the Brexit transition period, "it will be business as usual for data protection," which means mandatory compliance with the EU's General Data Protection Regulation remains in effect, the U.K. Information Commissioner's Office said in a Jan. 29 blog post.
"The GDPR will continue to apply," the U.K.'s privacy regulator states. "Businesses and organizations that process personal data should continue to follow our existing guidance for advice on their data protection obligations."
What happens after the transition period is over? From a privacy standpoint, that remains the million-dollar - or rather, pounds-sterling - question, and "depends on negotiations during the transition period," as noted in a Brexit FAQ issued by the ICO.
Odds are good, however, that after 2020, U.K. organizations will have to continue to comply with GDPR. Otherwise, they could be shut out of easy trading with the EU, leaving Britain at a competitive disadvantage.
"We need also to bear in mind that data protection is not a recent thing in the U.K.," says Jonathan Armstrong, an attorney with London-based Cordery who specializes in data protection and information security (see: GDPR Violation: German Privacy Regulator Fines 1&1 Telecom).
"We have had data protection legislation since 1984 - earlier than many countries who are still in the EU," he tells me. "There will not be substantial row-back from the existing law, and the [U.K.'s] Data Protection Act 2018 effectively makes GDPR U.K. law until it is repealed. Also, in some respects, U.K. law is tougher than GDPR, for example in its criminal provisions."
Political Bluster Continues
During the transition period, meanwhile, everything seems to be on the negotiating table. Already, the U.K. government is making a lot of noise about what post-transition-period rules might look like. But because U.K. government officials have yet to even sit down with EU negotiators, such political posturing remains meaningless.
The ICO says: "The default position is the same as for a no-deal Brexit: the GDPR will be brought into U.K. law as the 'UK GDPR,' but there may be time for further developments about how we deal with particular issues such as U.K.-EU transfers. The ICO will remain the independent supervisory body regarding the UK's data protection legislation."
But for any organization that processes EU data, the ICO will no longer be the lead EU data protection authority for Britain. Instead, that job will fall to one of the 27 remaining EU member states.
One enforcement wrinkle, as Cordery described in a recent research note, is that from a legal standpoint, it's unclear now how the ICO's two largest, unresolved GDPR cases might proceed. They involve its notice of intent to fine British Airways £183.4 million ($237 million) and to fine Marriott £99.2 million ($128 million) for violating GDPR. By the time those fines potentially get levied, the U.K.'s legal basis for the fines may have changed. An EU country might need to take over the investigations and enforcement.
Organizations that handle EU data should put processes in place to demonstrate their continuing GDPR compliance, the ICO says. "The [British] government has said that transfers of data from the U.K. to the European Economic Area will not be restricted," the ICO states. "However, from the end of the transition period, GDPR transfer rules will apply to any data coming from the EEA into the U.K. You need to consider what GDPR safeguards you can put in place to ensure that data can continue to flow into the U.K."
Whether such data flows are allowed to continue in their current form remains an open question. Armstrong says that while the British government has signaled that it will allow data to be transferred to the EEA, such provisions could be subject to court challenges along the lines of cases launched by privacy activist Max Schrems against Facebook and others, alleging that they insufficiently protect personal information (see: Facebook Wins an EU Privacy Ruling).
Britain Loses Its GDPR Say
In Britain, the pro-Brexit camp said that exiting the EU would give the country a greater say in its own affairs. But from a data privacy standpoint, the U.K. is already enjoying less control than before. The ICO, which helped lead the shaping of GDPR and privacy rules across the EU, no longer has a seat at the EU's data privacy table. Instead, the EU will tell the U.K. what it must do if it wants to continue to do business with EU organizations or to handle EU residents' personal data.
Already on the EU agenda this year are discussions over data transfers, artificial intelligence and penalty levels for GDPR violators. Whereas the U.K. previously had a voice in those discussions, it has now lost the ability to help shape the end result.
Armstrong's 5 Recommendations
What should U.K. organizations do now? As the post-Brexit transition period continues, Armstrong recommends they take five steps:
- Be proactive. "Do not leave your prep until the last minute. Instead, review your current compliance measures and see what you might need to fix."
- Study data transfer arrangements. Prioritize standard contractual clauses, model clauses and binding corporate rules for handling how data transfers take place between businesses and vendors. Having these plans in place early could pay dividends. "When Safe Harbor collapsed some operated a ticketing system for new agreements so it could make sense to be at the front of the line." (See: Facebook Wins an EU Privacy Ruling).
- Plan for a European representative. While it's not yet a requirement, organizations should consider naming an official data protection representative - DPR - now and documenting how they will function. After the transition period, U.K. organizations that handle data may need a DPR for the EU, and vice versa for EU organizations that handle U.K. data.
- Follow along. "Follow closely how the ICO's role actually plays out in the cooperation and consistency mechanism and how it continues to act as a lead supervisory authority, and determine who your lead supervisory authority might be after the end of the transition period." In other words, for organizations with a headquarters outside of the U.K., the lead authority may not be the ICO.
- Track changes. "Follow the eventual changes made to U.K. data protection rules and determine if and how they might affect your business. This should be fairly easy given the provisions of the Data Protection Act 2018, but we have a new prime minister who seems to see data protection as more of a political issue."
Beyond that, stay tuned. The ICO says it will be following negotiations closely and updating all of its Brexit transition period guidance as the future of data privacy rules in Britain becomes clearer.