Data Protection – a Brexit View
News and information from the Advent IM team.
The 31st December 2020 is looming large and with the final break from Europe approaching, the ground rush is becoming apparent. Those that do parachuting will understand the analogy; the first few thousand feet freefall are exhilarating and yet the inevitable gravitational pull sends you plummeting towards terra firma and it’s only when you’re in the last thousand do you really focus on the ground rushing up to meet you. Hopefully, you’ve deployed your parachute by then, but if not, time to react is running out fast; it’s not the fall that kills you, but the sudden stop at the end.
The same could be said about Data Protection and how ready your business is to move into the new market place on 1st January 2021. Have you looked at your business activities where the sending and receiving of data between the UK and Europe is concerned?
The Government are still fighting the EU for trading agreements which is becoming the inevitable brinkmanship, chest bumping arena where many outcomes are still unclear. Data Protection is one of those that remains in flux. One would like to think business as usual for data exchanges given our historic involvement with development of EU Data Protection and working together. The reality is a concern; the UK has already been side-lined for the EU GPS project and there is plenty of speculation that the UK will be viewed as a Third Country if an agreement is not reached.
Third Country status will require an Adequacy Decision where the EU determines the UK’s suitability for data exchanges and, again, they are challenging that possibility because of our Investigatory Powers Act 2016, which they determine undermines the Rights of Data Subjects too much. An Adequacy Decision could take years; to that end, businesses need to be considering their data exchange processes to identify any failings under the prospect of a No Deal Brexit. We will still be required to adhere to the EU GDPR which will remain alongside the Data Protection Act 2018 as the UK’s Data Protection legislation. Therefore contracts/processes will be under scrutiny and any failings will have an impact on future trading.
The US Privacy Shield, which provided the assurance for data exchanges with EU/US businesses who aligned/certified themselves as compliant, has been challenged in the European Court of Justice and is now invalidated by their decision. This requires US businesses to revisit their own position for dealing with Europe in an increasingly data driven world.
Covid-19 has demonstrated that remote working can work which drives up the requirement to review Data Protection more closely and to ensure safe, secure means are in place and working. Failure to act now could give your business the ‘sudden stop’ no-one wants to experience.