After GDPR – how Brexit will change data protection

GDPR brought upheaval and change in data protection – now Brexit is bringing it to the fore again.

Last year the letters GDPR become universally familiar across the UK. In a matter of months, the acronym became known to all, due largely to the upheaval from its introduction.

But Brexit means that further questions – and possible changes – lie ahead in data protection in order to keep data flowing freely across borders after the UK’s departure from the EU.

Ardi Kolah is Executive Fellow, GDPR Programme, at Henley Business School.

He warns: “There’s a great fog about what is going to be agreed with the EU commission with respect to international data flows. This fog is compounded by the lack of clarity about the rights of EU nationals living here, and of our nationals living abroad.”

As with all things Brexit, the final picture may change, but here are some factors that are emerging.

Issue #1: Adequacy

As an EU member, the UK is signed up to the GDPR and is regarded as having sound data protection rules.

But after Brexit, the EU will have to give the UK a status of “adequacy” for data protection in order to continue smooth data sharing.

In December the EU commission issued a warning. If the UK leaves without adequacy being granted, measures will have to be put in place to ensure data can be exported from the EU to the UK.

Should this concern accountants?

“I would hope common sense will prevail,” says Kolah.

“The UK has made a huge contribution to security and privacy laws, we’re held in very high esteem, we were involved heavily in the establishment of the GDPR and we have a good legacy. I would hope that as part of the negotiated exit, the UK will be fast-tracked in gaining adequacy status.”

But even if this happens, he says “it’s important that international data transfers continue to be frictionless – it’s in the best interests of both the EU and the UK.”

Issue #2: Data flows into the UK

Let’s look at particular issues for accountants.

For a practice mainly dealing with UK clients, then the changes made to comply with GDPR last year still hold. GDPR (i.e, the EU regulation) has been incorporated in the UK’s Data Protection Act 2018. So the same mechanisms regulating data remain in place – albeit with some deckchair-shifting: fines are now in pounds, rather than euros.

If you have clients in the EU however, be aware that data flowing from the UK to the EU is different to data coming in the other direction.

Duncan Smith, Director of iCompli says:  “If you’re a data controller and you’re sending to the EU, that’s fine; you’re sending to a safe territory. But the issue with data coming into the UK is that until we are gain adequate territory status, we are in something of a no-mans-land. I think we might be made to suffer a bit on this because it could be a whole before the European Commission determines that the DPA is adequate – and in the meantime, we don’t have a privacy shield in place.”

Issue #3: Temporary measures

The answer might need to be standard contractual clauses (SCCs). “Any data coming in will have to be under a model contract,” says Smith of iCompli. “This presents something of a headache for the EU. Imagine you are Mercedes and you have your head office in Munich. If I send information to my dealership in the UK, I’ll need different, stronger controls, to ensure I’m not breaking data privacy rules.”

Issue #4: It doesn’t just affect Europe

If you have data flows between the US and the UK, you also need to be aware of this – strange as this may sound when we are talking about Brexit. “With the US, we do have a privacy shield in place,” says iCompli’s Smith. “But, we can send data to the US because the EU and the US came to an agreement. The UK won’t be part of that agreement any more, so there will no longer be a mechanism.”

The good news is that a pragmatic solution is likely to take effect. The World Trade Organisation has said that the UK has always been on top of data protection. Rather than leaving the UK in limbo, it has agreed to ask US companies to amend their policies – from ‘data flow to and from Europe’ to ‘data flow to and from the UK.’

It still adds to the paperwork. And Smith predicts “I suspect there will be legal challenges on the basis of this. But such a scenario is likely to be an issue for multinationals, and not something that UK accountancy practices should worry about too much for now.”

Are there any practical steps accountants should take?

“Go back to your data flow diagrams that you should have, from the time of GDPR compliancy last year.” Look for where it flows from the EU to the UK, or from the UK to non-EU countries, especially the US. “You then have two choices – a privacy shield, or jumping through the particular hoops required by the country.”

Issue #5: Longer term steps

“If you are an accountancy practice with significant EU clients,” Ardi Kolah says, “it might be worth considering having a presence inside the EU – set up an office there, or at least have a representative there.” Even in the most favourable situations, being outside the EU will inevitably lead to the need for more compliance, “and could be very damaging for trade. We do have clarity on data flow from the UK to the EU now, but there is still that lingering fog in the other direction – and we are weeks away from leaving.” But don’t panic. “It would be anomalous if we were not granted adequacy.”

And in the case of no-deal? Kolah thinks long and hard about his answer. “You can make just one certain prediction,” he says, “and that is that everything will become more expensive. It will add costs and ultimately the customer will suffer from that.”

The ICOs 6 steps to take ahead of Brexit

  1. Continue to comply. Apply GDPR standards and follow current ICO guidance. If you have a DPO, they can continue in the same role for both the UK and the Europe.
  2. Look at data flows. Identify where you transfer data from the UK to any other country, not just the EU, as these will fall under new UK transfer and documentation provisions.
  3. Look at data into the UK. Identify where you receive data into the UK from the EEA. The ICO also recommends considering what GDPR safeguards you could put in place to ensure that data can continue to flow post-Brexit.
  4. If you operate across Europe, review your structure, processing operations and data flows to assess how Brexit will affect the data protection regimes that apply to you.
  5. Ensure documentation is up to date – this means reviewing privacy information to check compliance.
  6. Make key employees aware of the ongoing issues.

Mark Blayney Stuart is Business Journalist of the Year, Wales Media Awards 2017 and Former Head of Research at the Chartered Institute of Marketing.

Related articles