What Brexit means for data protection
In a week that saw the Prime Minister triggering Article 50 and the formal start of the Brexit negotiation period, no end of questions have been thrown up.
There’s a whole lot of uncertainty surrounding the UK’s exit, not least in terms of potential arrangements for transferring goods and services across borders. But while accurately predicting future trade deals is next to impossible, we can be fairly confident of a few things when it comes to one incredibly valuable commodity: data.
UK and EU data protection: the story so far
Data protection rules in the UK are largely based on the Data Protection Act 1998 (DPA) which itself is based on the assumption of European Union membership and compliance with the EU’s 1995 Data Protection Directive (DPD).
The DPD was put in place to ensure standards for the collection and use of individuals’ data would have a common framework across all EU member states, with local laws and supervisory authorities bringing each one in line. These standards covered things like definitions of personal data, when and how data can be processed, and the responsibilities of data-collecting organisations.
But two decades on, it’s become clear that the DPD no longer reflects how data is shared and exchanged online. Globalisation and mass internet adoption have advanced to a point where huge volumes of data flow back and forth every second, and an explosion of social media means individuals are generating more personal data than ever. Even small businesses regularly deal with customers across national boundaries – and all the data that comes with them.
With this in mind, a new set of EU data privacy rules, the General Data Protection Regulation (GDPR), is set to come into force from 25 May 2018.
What is the GDPR?
The General Data Protection Regulation is designed to provide better protection for consumers in a variety of ways. It’s intended to reflect how the data privacy landscape has changed since the 1990s, and harmonise data protection rules across the EU.
A central GDPR concept is ‘data protection by design’ – essentially the idea that data protection should be taken into account at the earliest conceptual stages of a product or service, not just at the point of delivery.
Organisations will need to be more transparent over what they do with data gained from individuals. For example, the existing ‘right to be forgotten’ concept has been extended, with mechanisms for individuals to have all their data deleted from company records. Individuals also have new rights to obtain copies of their data, and the GDPR specifies how this data needs to be provided in a clear and easily accessible format.
A higher standard of consent will be required from individuals, including requirements for repeated consent each time their data is processed for different purposes. Organisations above a certain size, or that deal with certain types of data, may be required to appoint a data protection officer, and penalties for data breaches are tougher.
The UK Information Commissioner’s Office has provided a full overview of the GDPR and its implications.
Organisations outside the EU will have to comply with these new regulations if they want to provide goods or services to EU individuals. Of course, after Brexit the UK will no longer be under EU jurisdiction – so what impact will the GDPR have on British law and British businesses?
The data must flow: proving ‘adequacy’
When the GDPR comes into effect on 25 May 2018, the UK will technically still be an EU member – but not for long. After that, the UK will have to come to a new arrangement to continue transferring personal data to and from EU countries. As we outlined in a previous article, one likely outcome is the UK implementing equivalent standards to the GDPR – what has been deemed ‘adequacy’.
Adequacy would mean de facto compliance with the GDPR. It would allow data to be transferred between individuals and businesses across borders in much the same way it is now.
In February, the UK Minister of State for Digital and Culture, Matt Hancock, indicated that post-Brexit UK law will probably mirror EU data protection rules, saying ‘The government wants to ensure unhindered data flows after Brexit’. Mr Hancock also confirmed that domestic law would need to be brought in line with the GDPR for this to happen, describing it as ‘a decent piece of legislation’.
Since then, Elizabeth Denham, the UK’s Information Commissioner, has told the House of Lords EU Home Affairs Sub-Committee that the UK should pursue adequacy ‘because it is the most straight-forward arrangement for data flows between the UK and the European Union to continue’.
And on 29 March, the same day Article 50 was triggered, Theresa May told Parliament ‘We know that UK companies that trade with the EU will have to align with rules agreed by institutions of which we are no longer a part, just as we do in other overseas markets. We accept that’.
Post-Brexit data protection: what we know
All these statements give a strong indication that UK data protection rules will shift to resemble the GDPR, at least as far as is required to demonstrate ‘adequacy’. But implementation and assessment will take time, and there are still no guarantees.
There’s potential for a scenario where the UK does not prove ‘adequacy’ and instead comes to a whole new agreement with the EU regarding cross-border data flow. With no official word on alternatives, it’s impossible to know how this would impact organisations doing business with EU partners – we’ll just have to wait for negotiations to conclude.
In general though, it’s a fairly safe bet that UK data privacy laws will come to mirror the GDPR. This at least gives you some guidance on preparing your business for future requirements – especially if you have customers on the continent. And even if you don’t, ensuring top standards of data protection is never a bad thing.
While the future may be full of uncertainties, at Fasthosts we can always guarantee exceptional security. Our UK data centres guard your data with the latest technology, and we give you a complete set of tools to manage every aspect of your websites and applications. Whether on Cluster web hosting, our dedicated servers or our CloudNX platform, you have everything you need to future-proof your projects, no matter what unfolds over the next few years.