This final installment of the two-part blog on Brexit and GDPR will look at compliance and accountability, what Brexit means for businesses in the UK and where we are now with GDPR.
Read the first installment here.
GDPR - Delivering Compliance & Accountability
Compliance with GDPR requires definitive identification of all personal data held, confidence in stating how and why said data is being collected, and the ability to state precisely where the collected data is being stored. In order for a data controller organisation to achieve GDPR compliance, they first of all need to perform an assessment of their current standing to identify compliance gaps. Through the prioritisation of remediation measures, an organisation can then forge a path towards GDPR compliance.
Data Controllers should also be mindful that they are ultimately responsible for ensuring compliance and therefore can be held liable for the processing activities of any data processors (e.g. cloud service providers) that they engage. This requires careful consideration when establishing or reviewing contracts that extend beyond the 25th of May 2018.
A recurring theme of GDPR is accountability. Organisations need to be capable of proving to both data subjects and regulators that the right path has been taken, often years after the initial decision has been made. Data Protection Officers (DPOs) are mandated for some categories of organisations such as public authorities and those involved in high risk processing. The DPO must have "expert knowledge" of data protection law and it is their duty to inform and advise on compliance. The GDPR also states the need for a Data Protection by Design and by Default approach for their processing of personal data. This requires organisations to adopt a mindset based on proactive rather than reactive and preventative rather than remedial. The use of Privacy Impact Assessments (PIAs) is recommended, and in some cases mandated, to assist in this regard.
Brexit in, Big Business out?
This is an age where data naturally moves across borders. Should the UK not be regarded as having an adequate level of protection, then legally, any transfers to the UK would have to be via EU model clauses, a very administrative-heavy task.
Model clauses are used to allow the transfer of data to non-EU countries and are regulated by Supervisory Authorities. Binding Corporate Rules (BCRs) may also be needed. These are basically the same instrument as model clauses but are set up by the enterprise itself for intra-company transfers. This will add expense and may lead to some companies to move a part of their operations to the EU, at least until things become clearer. Other UK firms will likely create EU shadow companies to demarcate data for the sake of simplicity, a complicated and expensive solution designed to make data handling easier. Firms from beyond the EU may simply avoid setting up in the UK at all.
GDPR - Where are we now?
The Secretary of State Karen Bradley MP confirmed at the Culture, Media and Sports Select Committee meeting on 24th October 2016: "We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public."
For several years it was in fact the ICO and the UK government who have pushed for the reform of EU law in aspiration of a continued evolution of the UK's digital economy. The Information Commissioner Elizabeth Denham commented:
"Growth in the digital economy requires public confidence in the protection of (personal data) … The ICO is committed to assisting businesses and public bodies to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond."
Ms Denham also acknowledges that questions on how GDPR would work on the UK leaving the EU will still be asked, but this should not distract from the task of compliance with GDPR by May 2018.