Many businesses are overlooking a consequence of Brexit: data management and governance
Brexit is official. On January 29, 2020, the EU Parliament approved the UK Withdrawal Agreement, and the UK left the bloc two days later.
The UK and the European Union (EU) have now entered a phase known as the transition period, which lasts from February 1, 2020, to December 31, 2020. During this time, the two entities will finalize the terms of the UK’s departure. The General Data Protection Regulation (GDPR) will be part of these negotiations.
What is the GDPR?
Enacted on 25 May 2018, the GDPR provides some of the world’s most stringent protections of data privacy for consumers. It also enforces some of the most severe penalties, with maximum fines topping out at either €20 million or 4% of global turnover from the previous fiscal year. (GDPR goes with whichever number is higher.)
Brexit and Data Protection Legislation, what are the consequences?
The GDPR will be a part of the negotiations during the transition period. The question that Brexit raises is this: If the UK is no longer a member of the EU, does the GDPR still apply to companies that conduct business in the UK?
Businesses affected by changes to regulation
Until the end of the transition period, the GDPR will still apply in its current form. The Withdrawal Agreement does include some technical amendments to ensure that GDPR still applies in a UK-only context. But for the time being, nothing really changes. Heading into 2021, however, businesses should anticipate two sets of regulations from the EU and the UK. The necessity of dealing with two sets of regulations will affect three kinds of companies:
- Businesses that are established in both the UK and EU.
- Businesses that are established in the UK and conduct business in the EU, or vice versa.
- Businesses that are established outside of the UK or EU but conduct business in both regions.
The ICO is still the UK's supervisory authority for data privacy
During the transition, the Information Commissioner’s Office (ICO) will continue to govern the UK’s data protection legislation. The major changes are behind the scenes. Under the Withdrawal Agreement, the ICO is no longer a member of the European Data Protection Board (EDPB), which means that the ICO has no obligation to cooperate with the EDPB or with the supervisory authority of any other country. That said, the ICO has pledged to continue to enforce the GDPR.
Data transfers between the EU and the UK
At the moment, data is permitted to flow freely between the UK and the countries of the European Economic Area (EEA) in accordance with the GDPR. But after the transition period has ended, the EDPB will need to issue an adequacy decision for the UK’s new data protection regulations (the UK’s version of GDPR).
Companies will then need to follow UK regulations when dealing with consumers in the UK and EU regulations when dealing with consumers in the EU member states. If the EDPB does not deem the UK GDPR to be adequate, the free flow of data between the EU and the UK could cease.
The ICO will have the final say on data transfers between the UK and the bloc until the EDPB rules that the UK GDPR is acceptable. This process could lead to frequent regulatory changes, which means that companies will need to stay updated.
There is also concern about data transfers between the UK and countries that are outside of the EU. The US Department of Commerce says that Privacy Shield—the data privacy framework for EU–US data transfers and Swiss–US data transfers—will still apply. But after the transition period, Privacy Shield organizations will need to update their public commitments in order to independently identify the UK.
What impact will this have on my business?
After the transition period, companies should expect to deal with several regulatory bodies when conducting business in Europe. This would mean abiding by the ICO’s regulations in the UK as well as the regulations of other authorities in the EU.
Companies will also need to revisit their corporate rules on data processing. The purpose of these rules is to ensure appropriate safeguards for data transfers from the UK to the EU. During the transition, ICO will honour rules that were authorized while the UK still belonged to the EU. But afterward, these rules will need to be revisited as they may require new terms to accommodate the UK’s updated regulations.
For the rest of 2020, business will be business as usual for companies that have dealings in the UK and the EU. But once the transition period has ended and a finalized agreement has been announced, companies should be ready to adjust their procedures in order to comply with two sets of regulations. This necessity will also affect policies pertaining to data that resides in IT assets that are scheduled to be decommissioned.
Let TES be your guide
Although no one yet knows how the legislation will evolve, it is safe to say that it will complicate the movement of personal data and the importing and exporting of material. New scenarios will present themselves that will require an experienced partner who understands the shifting landscape. TES has in-country resources in both the UK and the EU that have established relationships with the relevant government agencies on both sides of The Channel. During these uncertain times, partnering with a technology asset recovery partner with deep regulatory compliance expertise could be the difference in keeping your organization in compliance and out of the headlines.
About the Author
Steve Graham is the Vice President of EMEA for TES. He is responsible for managing and expanding our European Lifecycle Services business through a strategy of organic and acquisitive growth.
Connect with Steve on LinkedIn Stephen Graham
