How GDPR will be impacted by Brexit
Whether you’re involved with cloud services on a local or international level, or otherwise run a businesses connected to suppliers and consumers outside of the UK, Brexit will, of course, have a drastic effect on a broad array of business functions.
About the author
Martin Ojala, Data Protection Officer, Pipedrive.
In many cases there is some ambiguity as to how this transitional period will specifically apply to businesses. However, GDPR is one of the more clear cut cases. In short, EU GDPR will no longer apply directly to UK businesses after the transition period (January 2021).
However, in spite of this, UK organisations will still have to comply with its requirements beyond 2020. This is because the DPA 2018 enacts the EU GDPR’s requirements into UK law, meaning that functionally we will have ‘UK GDPR’. Functionally, there is very little difference between the ‘UK GDPR’ and existing ‘EU GDPR’. Those already complying with the former will simply have to persist with their current business practices.
Is there anything businesses still need to do to prepare for ‘UK GDPR’?
While organisations already in compliance with GDPR are unlikely to need to change much to keep their online storage, websites, and business apps in compliance with legal practice, Brexit provides a good opportunity for them to review how they handle data. One area to keep an eye on is transfers of personal data as the various mechanisms approved for use in the EU will no longer automatically apply in the UK.
If you’re moving personal data between the UK, EU and other countries, there are still questions that the UK is working out and the best place to get official instructions is the ICO website. The issues surrounding GDPR post-Brexit highlight that it is fruitless to do GDPR on a localized basis. Instead, organisations should be looking to ensure their data compliance is to the highest possible standard.
As such, when local legislation changes, businesses will not have to implement drastic reforms to stay in legal compliance. Moreover, it guarantees that their customers’ data is being protected to the best possible standard.
How does data protection differ throughout the world?
While there is a strong trend toward regulation across the globe, the differences remain significant. The European Economic Area and the handful of countries subject to the EU Commission’s adequacy decisions have adopted similar laws driven by the same principles. The rest of the world is not so homogeneous. Different priorities in business, politics, or culture lead to different data protection regimes.
What challenges does this present for businesses?
Businesses obviously dedicate time and effort to make sure their operations comply with existing and upcoming legal requirements in the markets where they operate. Most companies operating on a global scale have to make compromises as only a few of them have the resources to monitor 150+ different jurisdictions.
It is feasible to analyze your key markets in depth but, for the rest of the world, it makes sense to build a data protection program based on a strict if not the strictest regulatory framework to ensure that you’re likely to pass the bar in most of your markets.
Pipedrive started working towards GDPR compliance in early 2017 and since then the work done on this front has also paid off in non-EU markets, particularly in Canada, Australia and now, with the California Consumer Privacy Act, also in the U.S.
Will standards be higher in the future?
Inevitably, the data protection standards to which businesses are held will be higher in the future. As technologies for securing data become more sophisticated, so do those for gaining unauthorized access to such data. While this may make some of the practices of today obsolete, the only way to ensure that your organisation does not fall behind the curve is to stay at the cutting edge. By constantly holding your organisation to the highest standard, you will be minimizing any future outlay that may be needed.
Should there be a global standard for data protection?
Yes! Will there be one? Unlikely. Fundamental differences in various countries and cultures simply make the gap too great to bridge in the near future. In the meantime, companies can take the pragmatic approach of choosing a data protection and backup regime that is sufficiently strict to likely satisfy the requirements of most of their target markets and to build products and services that enable customers to make use of the liberties and opportunities granted to them and, at the same time, to remain compliant with the laws they are subject to.