How Will Data Protection Change After Brexit?
With GDPR coming in last year, businesses all over the UK had to carry out a review of the way in which personal data is collected and used by their brand… and while no doubt you’re all fully compliant now, it’s possible that you will need to carry out another review after March 29th to ensure you’re covered for any potential changes that might be rolled out as a result of Brexit.
The Department of Business, Energy & Industrial Strategy has published helpful guidance for all companies in the UK to ensure that they can navigate this evolving landscape without compromising themselves and leaving themselves open to hefty financial penalties in the event of a data breach.
When we do eventually leave the EU, changes to the rules could be pushed through, which will affect you and your company if you operate internationally and/or exchange personal data with business partners in other countries.
If we leave without a deal in place (which is looking increasingly likely as the days go by), businesses will have to make sure that the continue being compliant with data protection law. There won’t be an immediate change to data protection standards in the UK and brands will be able to continue sending personal data from the UK to the EU but there will be a change to the way data is shared from the EU to the UK.
The hope is that the European Commission will adopt an adequacy decision as soon as possible, but it’s unlikely that this will have been made by March 29th and the Brexit deadline.
If a deal is agreed upon, the implementation period will mean that data controllers won’t see any immediate change in their daily obligations. Personal data will be able to flow freely during this period but the EU will start its assessment of the U as soon as possible after withdrawal, with an adequacy decision adopted by the end of this implementation timeframe.
The Information Commissioner’s Office has set out steps you need to take to prepare for a no-deal Brexit, which you would certainly be wise to read. Recommendations include reviewing your structure, processing operations and data flows so you can see how our exit from the EU will affect the data protection regimes that apply to you.
There are now just 50 days left until Brexit and the Guardian has helpfully published a timeline of key dates to make note of, which could prove useful for businesses to bear in mind.
February 20th, for example, is the international treaty ratification deadline, with around 80 out of 100 or so international treaties with other nations yet to be ratified by parliament, a process that requires 21 sitting days.
And in early-mid March, a second ‘meaningful vote’ will be held by Parliament on the withdrawal agreement before the European parliament can have its say. Have a read of the article to see if there’s any other dates you might like to make a note of in the run-up to Brexit.
For help with confidential shredding in London, give us a call today.