The General Data Protection Regulation (GDPR) is a set of laws regarding data security that affect companies based in the EU and those with customers in the EU. Brexit is the proposed withdrawal of the United Kingdom from the European Union.
You may be aware of one (or both) of these subjects, but what may not be completely known is how one will affect the other. Understandably, there are reasons for concern for those doing business in or with the EU — since, as you likely know, the UK is part of the European Union — so let’s take a further look at GDPR and Brexit to see what effect they may have on how you run your company.
What is GDPR?
The GDPR governs how companies protect and handle the personal data of EU citizens. The intention of the GDPR is to implement privacy, transparency, and data rights for EU residents.
Building upon previous EU guidelines, the GDPR includes the focus on how businesses collect personal data, how customers handle data portability, and penalties for being non-compliant.
The GDPR was approved by the EU Parliament in 2016 and came into effect on May 25, 2018. All organizations doing business within the EU must remain GDPR compliant, as well as any outside organizations that provide goods or services to customers or businesses within the EU.
For a more in-depth look at the regulations, we address the major points of GDPR in a Very Good Security Compliance Academy course.
What is Brexit?
The term itself is a portmanteau of “British” and “exit,” which sums up the general idea. The United Kingdom intends to leave the European Union, separating the collection of England, Scotland, Wales, and Northern Ireland from the 27 other member states.
The UK voted to break away from the EU in June 2016 and, since then, details and proposals of how the separation would look have been in the works. A withdrawal agreement was expected to be finalized for an official separation on March 29, 2019, although the terms were not agreed upon. The new deadline is October 31, 2019. It may take another few years before the separation actually reaches completion.
Preparing for Brexit
If you live in the UK or an EU member state, there should be minimal concern in regards to GDPR compliance — if a proper withdrawal agreement is accepted. Ideally, the United Kingdom and the European Union will come to terms in regards to data protection so that business can be carried out as usual or with few interruptions.
This, however, may not be the case. If the final agreement does not adequately cover data protection or if there is a “no deal” Brexit — that is, if the UK leaves without any agreement at all — the UK will be treated as any other country outside of the EU.
As a result, businesses within the EU may need to take extra steps to ensure that the UK companies they work with have proper security measures in place, which can be done using Standard Contractual Clauses (SCC), as they would no longer be tied to GDPR-compliant EU member states the same way they once were.
Fortunately, the UK utilizes the Data Protection Act 2018, a national law that works alongside the GDPR. While we will not know for sure until Brexit finally starts happening, the relationship between the GDPR and the Data Protection Act 2018 can potentially ease the transition.
The UK, on the other hand, has established that it intends to continue the existing flow of data into the EU using guidelines already set in place by the GDPR. Assuming negotiations turn out well, this approach should remain in place post-Brexit.
Those in the UK who do not intend to do business with customers in the EU would no longer be required to be GDPR-compliant. Considering the close proximity and the commercial relationship between the UK and the EU member states, though, it is likely that only the most local of businesses would have nothing to worry about in terms of future GDPR compliance.
What If You’re Not in the UK or EU?
Whether or not the UK and EU come to an agreement regarding data protection, there will likely be more work to be done for those on the outside working with customers within both groups.
As it is now, GDPR compliance allows data transfer and security to be handled in a consistent manner when dealing with the EU member states. Depending on the Brexit agreement, if you plan to do business that involves data security with customers in the UK and customers in what remains of the EU, you would need to be GDPR-compliant, in addition to whatever rules and regulations may be set by the UK.
It is possible that the regulations may mirror each other, or at least bear a close resemblance, so being compliance-ready with one group may not require much more work to be complaint in the other territory. It can take more time to be totally compliant, though, as you’d be working with multiple sets of regulations.
In the chance that your personal data activities only deal with the countries that are part of the UK and do not involve the remaining EU member states, then it is likely that you would not be required to be GDPR-complaint any longer.
So What Should You Do Now?
To prepare for a possible “no deal” Brexit or a less-than-ideal data security agreement, those in the EU may want to familiarize themselves with Standard Contractual Clauses. SCCs can satisfy required safeguards regarding data protection when dealing with non-EU countries, as established by the European Commission.
At the moment, though, it’s business as usual. With no withdrawal agreement voted into place and the Brexit deadline pushed to later this year, the existing GDPR compliance regulations will remain at least a bit longer for both the UK and the rest of the EU member states.
