- Data Strategy,
- Data Science & Analytics
– 21 May, 2019
Chaucer Report: Brexit Briefing
Keeping up with everything Brexit related is overwhelming to say the least – are we leaving or are we staying?
Opinion Piece by Paul Gillingwater, MBA, CISM, CISSP
What does this mean for my business? Has all the time you’ve spent preparing for the introduction of GDPR law been a waste of time? Well thankfully we can answer that with a resounding no.
Let’s look at what Brexit means for your data.
The UK is faced with two possible pathways on its Brexit journey: a negotiated Brexit and the “no-deal” Brexit.
Most recently, the UK Government agreed with the EU to set a deadline for the culmination of the process on the 31st of October 2019. Whilst some EU laws will cease to apply to the UK post-Brexit, it has been confirmed that the GDPR will continue to remain in force.
This is largely due to the heavy influence the regulation has had on the updated Data Protection Act (2018). The Act means that GDPR will still apply to the UK, however, this will be in a slightly altered manner known as ‘Applied GDPR’.
How will this affect me?
The ePrivacy Regulation (ePR), an upcoming EU regulation aimed at protecting the communications privacy of individuals, is anticipated to be rolled out in 2021.
Though the expected date is well past the Brexit deadline, assuming the UK government sticks to the newest timetable, it has been preemptively agreed that this regulation will still apply to the marketing operations of many UK companies.
Diligent businesses will, therefore, continue to prepare accordingly for when the regulation is implemented.
Additionally, the UK leaving the EU will therefore mean that the UK will overnight be regarded as a third country when it comes to data protection.
This will mean that the UK will lose its automatic adequacy status and that until it successfully acquires this, EU companies transferring data to the UK will be required to use Standard Contractual Clauses (SCCs) or other transfer mechanisms.
Once the UK has officially left the EU, British companies which meet the required threshold will be required, under Article 27, to appoint an EU Representative for data privacy purposes. This issue can be seen as a double-edged sword, for not only will British companies be affected but many EU firms may require a UK Rep for their data privacy concerns.
Ultimately, we don’t expect severe changes to data privacy practices post-Brexit. However, the UK’s adequacy is not guaranteed and in the interim period firms may need to alter their practices slightly and as mentioned consider the addition of agreed SCCs to their existing contracts.
How can I learn more?
To learn more, please download the full report (PDF) where we explore these aspects in more depth, and shed light on other data privacy-related issues which are likely to be affected by different Brexit scenarios.
Paul Gillingwater is an Associate Partner at Chaucer Group, responsible for privacy and data protection.
Chaucer offers advisory services on GDPR, as well as DPO and GDPR Representative services. If you think we can help you to implement your project or Privacy Operations Centre strategy, please contact us on DataPrivacy@Chaucer.com or 0203 934 1099.
Paul Gillingwater MBA, CISSP, CISM, RHCE
Managing Principal GDPR, ISO27001, PCI/DSS, GRC, DPA18 Paul is a Managing Principal Consultant and registered DPO at Chaucer who has worked for more than 30 years as a cyber security and risk specialist and advisor to businesses, government and non-profits with their governance, regulatory and compliance requirements. Over the past five years he has focused on UK & EU data protection and is a passionate advocate of online privacy rights education.