No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

Will Brexit Bust GDPR?

by Nick Henderson
March 8, 2017
in Data Privacy, Featured
pie-shaped UK flag being removed from EU circle

4 Things That Could Happen Next

How big an impact is Brexit going to have on GDPR? The U.K. government has already committed to bringing the new European data protection regulations fully into force in 2018, but without any post-Brexit deal, could the U.K. find itself stranded on a data protection desert island?

The EU’s General Data Protection Regulation is due to come into force across the bloc on May 25, 2018. It is the biggest shakeup in data protection law for 20 years. The rights of people to access and protect their data will be strengthened, more rules for business added on how to manage and safeguard data, stricter data protection training requirements and much harsher penalties implemented for getting it wrong.

Brexit has caused a wave of uncertainty about how GDPR might be implemented in the U.K. and what might happen once the U.K. is out of the EU.

What We Know Now

The U.K. government has signalled its intention to trigger Article 50 before the end of March 2017, kicking off the two-year countdown to the official exit from the EU. Barring further changes, the U.K. should have left the EU by April 2019. Assuming that the U.K. remains a full member of the EU until that date, GDPR will automatically apply to the U.K. in 2018.

Both the Information Commissioner’s Office (ICO) and the U.K. government have indicated that GDPR will be implemented regardless of the U.K.’s eventual relationship with the EU.

The U.K. has a strong data protection record itself. Britain’s ICO was the original instigator of GDPR, identifying the need to update data protection law back in 2009. The U.K. is also a world leader in data systems, cybersecurity and privacy law. However, research by KPMG has shown over 60 percent of CEOs are concerned about British privacy regulations becoming out of step with the EU after Brexit and impacting their business.

Full Compliance

To maintain full compliance with GDPR, the U.K. must maintain an adequate level of protection for individuals. That means someone in France, Spain or the U.K. must have a very similar level of data protection and expect companies and nations to look after their data in broadly the same way. To maintain full compliance, there cannot be too much change in how a citizen experiences data protection from one country to another.

There are national derogations available under GDPR, but these are limited in scope to issues like national security, judicial independence and religious exemptions. In addition, any restriction must still respect fundamental freedoms and remain necessary and proportionate.

Not all the rules of GDPR have been finalised. A group known as the Article 29 Working Party is currently writing guidelines on everything from who will need a DPO to the right of data portability. After the implementation of GDPR, the Working Party will become the European Data Protection Board, made up of a representative from each EU member state. It will continue to write guidance and coordinate enforcement across the EU and potentially alter the way GDPR should be implemented.

After Brexit, the U.K.’s ICO may no longer have a seat on the Data Protection Board. To remain compliant, the U.K. could end up having to implement decisions of the board without having a say.

The problem is how to incorporate all these individual changes and adaptations without the need for constant legislation. To maintain full compliance, the U.K. may have to devise a system to automatically implement GDPR developments which take place in Europe. However, this leaves the possibility that a post-Brexit EU moves faster and further with data protection, no longer bogged down by British objections. This could force the U.K. to implement GDPR decisions it might not like in order to maintain full compliance. If not, a two-tier, partial compliance system could emerge. On the other hand, full compliance might not be too difficult. The current eight principles of data protection remain the same under GDPR, and the U.K. in general has strict data protection laws.

Partial Compliance

Partial compliance with GDPR could emerge from a situation where the U.K. keeps the regulation on the statute books after Brexit but doesn’t keep pace with any changes as they develop.

The Prime Minister plans to incorporate the body of European law into U.K. law in a “Great Repeal Bill,” and then decide which laws to keep and which to, well, repeal. With no automatic mechanism to keep up with changes in EU rules, a two-tier system could be the only option. This might mean U.K.-based companies with business in the EU complying with GDPR internally but operating under a different standard for its British operations.

Some of the more stringent GDPR requirements, such as 72-hour breach notification, unrestricted right of access and the right to be forgotten may be without a home in post-Brexit Britain, but remain part of EU rules. Companies will have to prepare for the potential increased workload and confusion that may result in trying to comply with two different systems at the same time.

While some companies and politicians may be keen to drop a number of GDPR requirements as soon as possible, partial compliance creates its own problems. Too much tinkering with the rights of data subjects, or stepping too far away from the protection of fundamental rights that GDPR is based on, could leave the U.K. and EU data protection regimes in a state of divergence.

Divergence

The U.K.’s divergence from GDPR would mean a significant and material shift away from European standards of data protection. This could happen if the U.K. rejects GDPR wholesale and instead keeps the Data Protection Act instead. Another scenario is that GDPR is implemented, but after Brexit, it’s repealed or amended beyond recognition.

However, a legislative separation might not necessarily mean divergence. U.K. case law has been catching up with European concepts of privacy. In a recent Court of Appeal case, Google vs. Vidal Hall, the U.K. court found a right to claim compensation from a data protection breach without having to prove financial loss. However, this ruling was made by applying EU law, so Brexit may end up narrowing the scope of how British judges interpret data protection.

There is always the possibility that the U.K. may diverge from GDPR but toward even greater protections. The U.K. is already a world leader in data protection and has taken pioneering decisions in other areas of compliance, such as the Modern Slavery Act.

Divergence in this direction matters less than divergence the other way. If the U.K. and EU data protection systems become too different, the U.K. could be in danger of losing its adequacy determination, making data transfers from the EU to the U.K. technically illegal. Even if the U.K. maintains full compliance with GDPR, there is still a possibility that Brexit could threaten the U.K.’s adequacy determination.

Brexit: Deal or No Deal?

Regardless of what the U.K. does with GDPR after Brexit, the biggest threat to data protection is from an exit from the EU without any deal. This is the so-called hard Brexit and fallback to WTO rules until a further agreement is reached, or not. It’s the kind of Brexit Theresa May and many inside the Conservative party and Leave camp have called for. As we have seen, the crucial component for the U.K. after Brexit is to be judged as offering an adequate level of protection by the European Commission.

A hard Brexit with no deal means no assessment of adequacy. Furthermore, the U.K. cannot apply to the European Commission for an assessment of adequacy; that determination can only be given by the Commission itself. If the negotiations turned sour and both parties decided to walk away with no deal, perhaps due to the estimated €60 billion leaving bill, there might not be much goodwill left to speed up a U.K. adequacy determination for GDPR.

Without any sort of bridging deal, transferring data from the EU to the U.K. could be seen in the same way as transferring data to Zimbabwe. Data transfers to the U.K. could be technically illegal. This, of course, would imperil the economies on both sides of the channel, but it’s a serious risk if there is no deal or transitional arrangement in place.

Canada was judged to offer an adequate level of protection following the conclusion of CETA – the EU/Canada free trade deal; and adequacy is offered to a handful of other countries including the Channel Islands, New Zealand, Israel and Argentina.

Data transfers to the U.S. take place through auspices of the EU-US Privacy Shield, which American companies can sign up for to demonstrate they offer an adequate level of protection. This was hastily put together after the previous Safe Harbour scheme was ruled as being inadequate by the European court. It may be that in the event of a no-deal Brexit, the U.K. can join the privacy shield, allowing companies a one-step registration process to essentially continue doing what they will already have been doing right up until the formal exit from the EU.

But the question of whether the Privacy Shield will survive President Trump has become another reason to worry what the next few years will mean for data protection.


Tags: BrexitGDPR
Previous Post

When it Comes to Fraud and Corruption, Organizations Prone to Believe “Alternative Facts”

Next Post

The COSO Internal Control Cube Can be as Daunting as Rubik’s Cube

Nick Henderson

Nick Henderson

nick-hendersonNick Henderson-Mayo is the director of learning and content at VinciWorks, a leading AML and compliance training and software company. He previously worked in policy at the Scottish Government and in civil society. He creates compliance training for the world’s top law firms and blogs about money laundering and compliance topics on LinkedIn and Twitter: @nick_compliance.

Related Posts

gdpr

UK Resurrects Data Protection Reforms, EU Court Rules on GDPR in Civil Cases

by Jonathan Armstrong and André Bywater
March 15, 2023

Recent courtroom and legislative action in Europe will likely have ripple effects around the world for companies subject to regulations...

eu flag

Preparing Your Company for the Latest GDPR Data Transfer Developments & Upcoming Deadlines

by Kevin L. Coy
November 30, 2022

An EU court decision and legislative moves in the U.S. and UK make compliance with privacy regulations increasingly difficult. Arnall...

minidata_b

Honey, I Shrunk the Data: How to Keep Customer Info on a Need-to-Know Basis

by Parker Poe
November 30, 2022

It may be tempting to hoard the data you have gathered on your customers, but an increasing number of regulations...

uk ico data access

UK’s Data Protection Regulator Signals Crackdown on Access Request Violations

by Jonathan Armstrong and André Bywater
October 5, 2022

Data privacy laws in the EU and UK established the right of individuals to find out what personal information organizations...

Next Post
rubik's cube

The COSO Internal Control Cube Can be as Daunting as Rubik’s Cube

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT