Data Protection Post-Brexit – What Can Businesses Do To Prepare?

 

 

In January 2020, the UK officially left the EU. Since then, we’ve been in a transition period while the EU and UK negotiate arrangements. During this time there were no changes to the current data protection laws. However, as this comes to an end on 31 December 2020, it has raised many questions around the future of data protection, GDPR and compliance post-Brexit.

Conosco’s Head of Security, Hylton Stewart, and Principal Security Consultant, John Flynn, got together (virtually) to discuss the recent guidance by the ICO and what businesses can do to prepare.

 

Will GDPR still apply at the end of the transition period on 31st December?

GDPR which came into effect back in 2018 and took businesses months to get their heads around, is not going away. However, Brexit will spell a slightly new beginning in as much as it will be called the UK GDPR, and will replace the current EU GDPR. UK GDPR will still be based on the Data Protection Act 2018 but the UK will retain the right to change UK GDPR in the future as it sees fit.

 

What changes will come to fruition with the UK GDPR?

First and foremost, all companies privacy notices will need to be updated to state ‘UK GDPR’ as of 1^st January. Whilst there will be no change on data going out of the UK to the EU, Standard Contractual Clauses (SCC) will need to be in place for any data coming from the EU into the UK. A Standard Contractual Clause (SCC) is a set of contractual terms and conditions which both parties sending and receiving data sign up to, adhering to the rules of GDPR. Its aim is to protect personal data leaving the EU.

As of 1^st January, the UK will be classed as a third country and will be seen as a country with adequate provisions in place to safeguard general data protection. The UK will be treated in the exact same way as countries such as Andorra, Argentina, Guernsey, New Zealand and Switzerland.

 

What can businesses do now to get their data and systems prepared and in a better state for whatever changes come as part of UK GDPR?

• If you are a UK company that uses cloud systems based outside the UK in one of the EU member states, there will be no change to accessing the data, however, you will need to ensure contractual clauses are in place adhering to UK GDPR.
• Companies will need to update their privacy policies and put a notice online to specifically state ‘UK GDPR’.
• Businesses should ensure that they have mapped out all processes and procedures. This is something that should have been done under the current GDPR.

 

What cyber security practices should businesses put in place to protect data in general?

• Ensure your business has a health check and perform ongoing security and compliance assessments throughout the year.
• Work with experts to perform a gap analysis and ensure Information Security controls are in place to help you defend against attacks and recover quickly if a security breach should be successful.
• Look into Cyber Essentials and Cyber Essentials Plus certification to give you a strong cyber security baseline.
• Implement governance frameworks such as the ISO 27001 Security Management System.
• Regardless of GDPR, businesses should put Standard Contractual Clauses in place with any third party suppliers or partners to safeguard their data.

 

Are there any specific industries that will be affected more by UK GDPR?

All organisations will be affected by UK GDPR in the same way. However large companies will need to appoint an EU representative if they have a UK based online business that provides services to the EU. If they don’t have a representative they run the risk of being fined.

 

Are businesses still likely to be fined for misuse of data?

There will be no change and the drive will be harder than ever (if not harder) to come down on businesses that breach data protection.

 

Will the ICO (Information Commissioner’s Office) remain the data protection regulator for the UK?

Yes, the ICO will remain the UK regulator and will continue to work with its EU equivalents to ensure data protection standards are met.

Please see below list of additional reading sources and templates:.

• https://ico.org.uk/for-organisations/data-protection-at-the-end-of-the-transition-period/
• https://ico.org.uk/for-organisations/data-protection-at-the-end-of-the-transition-period/information-rights-at-the-end-of-the-transition-period-frequently-asked-questions/
• https://www.gov.uk/transition?utm_campaign=transition_p3g&utm_medium=cpc&utm_source=seg&utm_content=ala_act0&gclid=CJfZvbG1rO0CFVaAGwodKWwCOA

 

Round-up

With current official guidance changing every day, it is important that businesses continue to keep an eye on updates provided by the ICO. Should you require any additional advice or guidance about GDPR, data protection and cyber security please feel free to reach out to us at  securitydivision@conosco.com or get in touch via our website.