Late last year, we published a guide to everything you need to know about GDPR after Brexit. A few things have changed since then, not least, the UK finally agreeing on a deal on 24th December 2020. So, with the terms of the UK’s exit decided, do we know anything more about what GDPR looks like post-Brexit?

What’s happened since a deal was agreed?

You may remember from our previous piece that the UK was awaiting an ‘adequacy’ decision from the European Commission (EC). In simple terms, the EC must decide whether the UK has adequate data protection measures in place for EU countries to work with it.

In the time-honoured fashion of all negotiations between Britain and EU organisations, we’re still waiting on that decision. However, as a temporary fix, the two sides have set out the ‘Trade and Cooperation Agreement’, which contains a provision for data flows. 

What does this mean for GDPR? 

The ‘Trade and Cooperation Agreement’ contains a provision allowing data flows between the EU and UK to continue as they were pre-Brexit for a maximum of six months. In other words, data can still be transferred in the way it was pre-January 2021 until June this year.

There are two ways this ‘bridging period’ could come to an end. The first is that the UK makes changes to data protection law during the period. If this happens, the UK would be outside the terms of the agreement and data transfers will immediately stop.

The second is that the EC makes a decision on the UK’s adequacy status. If this hasn’t happened by 1st April then the period will be extended to its full six-month maximum. 

Still with us? It’s also important to note that the UK has already deemed the EU’s data protection as adequate, meaning data is free to flow in the other direction too. GDPR has now been made part of UK law and renamed the ‘UK GDPR’. And, the Trade and Cooperation Agreement includes a commitment that the UK and EU will continue to cooperate on digital trade in future. 

What does your business need to do? 

If it’s business as usual until April, does your business need to do anything to ensure compliance with GDPR?

Unfortunately, the answer is yes. While data flows can continue as they are, for now, predicting the future is tricky. Some commentators are cautiously optimistic about the likelihood of a favourable adequacy decision for the UK. However, many others cite the long-standing differences in surveillance practices between the EU and UK as a potential blocker to any positive outcome.

This means that the smart thing to do, for businesses of any size, is to put in place alternative arrangements. The Information Commissioners Office (ICO) has already issued a statement urging businesses that depend on data received from EU/EEA countries to do exactly that. 

In practice, this means setting out binding corporate rules (BCRs) or standard contractual clauses (SSCs) on data protection for an EU organisation you exchange information with. This is essentially a commitment to comply with EU data rules as an individual organisation in the event that something changes at the state level.

You can find more advice on the ICO’s Brexit hub and we’ll keep bringing you further updates as we get them. 

Just when you thought the endless rounds of Brexit negotiations were finally drawing to a close and it was safe to tune into the news again, another problem has reared its head. What will happen to GDPR after Brexit? And will UK companies still be able to exchange data within the EU? 

To provide some clarity amongst the confusion, we’ve tried to answer both. So, join us on a whistlestop tour of all things Brexit and GDPR. 

Will GDPR apply in the UK after Brexit? 

Strap yourselves in, this one’s going to take some explaining. While GDPR will no longer apply ‘directly’ once the transition period ends on 31st December 2020, that doesn’t mean UK organisations no longer need to comply with it. 

This is because the Data Protection Act 2018 enshrines GDPR’s requirements in law. On top of the existing legislation, the UK government has issued a statutory instrument catchily titled ‘The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019’. In simple terms, this amends the original law and merges it with the requirements of GDPR. The outcome will be a new data protection framework known as the ‘UK GDPR’. 

Still with us? The good news is that there’s virtually no difference between the UK version of GDPR and the current EU regime. So, for the meantime at least, you should continue to comply with the requirements of the EU GDPR. 

So why all the dramatic headlines about GDPR after Brexit? 

If there’s little material difference between the current GDPR and the proposed UK version, why are we seeing headlines about the switch costing UK firms £1.6bn in compliance fees?

Well, the problem lies in how the UK’s status is defined by the EU. Once the UK leaves the EU, as a non-member state it will be reclassified as a ‘third country’. And this has big ramifications for the transfer of personal data between countries. 

Under GDPR (the EU version), transferring personal data from the European Economic Area (EAA) to third countries is only permitted in one of three circumstances.

The three options

1. If the European Commission (EC) has issued an adequacy decision. In other words, the EC has decided the third country has adequate data protection measures in place for EU countries to work with it.
2. If safeguards such as binding corporate rules (BCRs) or standard contractual clauses (SCCs) are in place between organisations exchanging data. These are essentially commitments to comply with GDPR at the level of an individual company.
3. If an approved ‘code of conduct’ is in place between the EEA and the third country. 

At the moment, no code of conduct has been agreed between the EEA and the UK. What’s more, the EC is yet to issue an adequacy decision.

This has led commentators, such as the New Economics Foundation (NEF) and UCL’s European Institute research hub, to suggest that in the event of a no-deal Brexit, UK businesses would have to undertake option two from the three circumstances listed above. 

The problem with this is that it could prove very costly. In fact, NEF estimates setting up extra compliance measures like SCCs could cost on average £3,000 for a micro-business, £10,000 for a small business and £19,555 for a medium-sized firm. For large firms, the figure could be as high as £162,790, with a cost of £1.6bn to the UK economy as a whole. 

How likely is this to happen?

While the last section might be a little scary, it’s important to stress that it is the worst-case scenario. The UK government has stated several times that it’s committed to securing an adequacy agreement with the EC. So it’s not beyond the realms of possibility that all this will be academic and we’ll see a relatively smooth transition process.

However, there are some doubts about the likelihood of the UK being granted adequacy status. And there are a couple of compelling reasons for this. First, the EU has long opposed some of the practices of the UK security services. This has led to several protracted court battles and a few defeats for British legislators. It’s felt that unless the UK is willing to change it’s surveillance practices – something it’s repeatedly refused to do – then this is likely to provide a blocker to the UK being granted adequacy status. 

Second, the UK government has committed to ‘liberalizing’ data laws as it leaves the EU. Its argument for doing this is that data is currently ‘inappropriately constrained’ by EU laws. The problem is that this is likely to render the UK’s data protection measures inadequate in the eyes of the EU. Again, leading to a scenario in which the UK becomes considered a third country without adequacy status. 

What should SMEs do? 

At this point, it’s natural to wonder what your business can do to ensure you’re ready for the transition. After all, with all the decisions being made at an international level, what can a single SME do but wait?

We don’t yet know the outcome of negotiations on the UK’s adequacy status. So planning for extra compliance measures like SSCs is a challenge. Nevertheless, as we mentioned earlier, it’s well worthwhile ensuring your business is compliant under the current GDPR regime. At the very least, this should help you stay on the right side of the new UK GDPR standard once it’s released.

Data protection obligations got you in a muddle? Get on top of them quickly and easily with the CyberSmart Privacy Toolbox.

News articles have continued to highlight the impact Brexit could have on UK businesses in 2020. With everything from visas to regulations and import taxes, businesses face a lot of uncertainty in the coming years.  

However, despite Brexit continuing as a hot topic in business media, surveys have found that it is not the most pressing issue on business leaders’ agendas. Instead, data protection topped the list. 

The first half of 2019 saw data breaches leave 4.1 billion records across the world exposed, and they are continuing to occur on an almost weekly basis in the UK. The rapid sophistication of cyber attacks is leaving an increasing number of UK’s businesses vulnerable to these potentially devastating breaches.

80% of CEOs concerned about cyber threat

PricewaterhouseCoopers conducted a recent survey to gauge the key areas of CEO uncertainty and how they are taking action to address them. The findings found that eight out of ten CEOs are concerned about the threats posed by a cyber attack. 

This concern emerges among a growing abundance of news stories reporting enormous data and security breaches at top companies and organisations, which end up costing them hundreds of thousands in compensation. 

One of the most publicised cases of 2019 was the British Airways breach in which the details of about 500,000 customers were stolen by hackers. As a result, BA was charged a fine of £183 million.

This is a corporate example, but even small businesses are at risk of fines for violating GDPR data protection laws. If you’re wondering if you’re GDPR compliant, CyberSmart offers a simple, non-technical path to GDPR certification.

The public wants to know businesses are protecting their data

Media coverage and market research make it clear that cyber attacks are only going to increase in frequency in 2020, both in the UK and the rest of the world. But this is not just an issue for CEOs. 

The media attention garnered by cyber attack stories have made data regulations and privacy a key issue amongst the general public, who place an increasing premium on companies that take protection of their data seriously.

It’s more important than ever to show that businesses showcase their cyber security certifications and GDPR compliance. 

Pressure from consumers has been further motivation for CEOs to consider data privacy and compliance with data regulations as two of their top issues. 57% of respondents to PwC’s report cited public fears over security as a key factor.

Cyber security starts at the foundation

However, 2020 is expected to see more CEOs focusing on the configuration of their business in order to meet the requirements of cyber resilience. In the increasingly digital landscape of the future, cyber security will no longer be an added feature for organisations to incorporate as an afterthought, but rather a critical feature to be in-built into a business’ infrastructure.

As cyber attacks continue to pose a significant threat to UK businesses in 2020, it has never been more important for companies to ensure they are compliant with data protection laws and agreements. 

CyberSmart several ways that even small businesses can take precautions against cyber threats. Our Cyber Essentials and Cyber Essentials Plus certification offers simplify the process of keeping businesses up to date with UK laws while CyberSmart Active Protect secures your company devices around the clock. 

In addition, we offer products for IASME GDPR compliance enabling you and your company to meet protection standards and have peace of mind in your service.