Today we’re hearing from Gareth Gadd, Chief Business Development Officer at Compliance Compendium, Brexit expert and UKFast webinar panellist.
Why is the process of reaching a deal with the European Union (EU) so complex? And what does Brexit have to do with our data? Let’s see what Gareth has to say about the state of Brexit and his top tips for businesses trying to minimise Brexit disruption.
You can’t escape the topic of Brexit at the moment. Much of the discussion will be on whether we get a deal or not. But a topic that is not discussed is why some of the negotiations are so complex.
Much of EU trade (whether cross-border or not) has a data element to it. All EU and EEA countries handle data in a similar way and, in particular, personally identifiable information (PII). This is important for many services (e.g. banking and insurance) so that we can trust data transfers across this huge region.
If you take the above at face value, everything should continue as normal after Brexit and we will continue exactly as we are now because we adopted the EU’s GDPR into UK law. Sadly, EU negotiators don’t seem to think the same way. Much has been made of technical issues that prevent the reaching of an agreement.
The UK is a member of the European Data Protection Board (EDPB) and continued membership would mean that we would be made aware of future potential amendments. Unfortunately, the chief EU negotiator Michel Barnier is against the UK being a member of the EDPB after Brexit. This creates issues. For example:
A sticking point is whether the UK would be bound by legislation from the European Court of Justice (ECJ) after Brexit. If we were not signatories to ECJ rulings then we would not be adopting future European case law into our legislation post-Brexit. This would lead to a bifurcation in UK and EU legislation. The EU may then have grounds to say that our data protection laws were no longer ‘adequate’.
Much of that would seemingly be solved by the UK’s continued presence on the EDPB. Barnier says that the above issues can only be reached by an “adequacy decision”. However, our Information Commissioner Elizabeth Denham says that a data treaty is preferable. Clearly a disagreement. The EU already has an arrangement with the US called the EU-US Privacy Shield despite the US having a lower standard of personal data privacy than the UK under GDPR.
Other issues arise around UK security legislation (e.g. the Investigatory Powers Act 2016) which would make an adequacy ruling difficult and explains why the UK Information Commissioner would prefer a data treaty similar to the US.
Helpfully, the UK Information Commissioners Office (ICO) gives guidance on the effect of leaving the EU.
Their guidance highlights six steps that all businesses should take.
The ICO keep the guidance on progress of GDPR and Brexit up to date and all UK businesses should visit the ICO website regularly to ensure that they have the latest information.
Find out how Brexit may affect your organisation and what you can do to minimise data disruption to your business in our latest webinar ‘The impact of Brexit on your data’.