Brexit Raises Questions About Personal Data Protection

Mark Peters, Managing Director IT Audit Practice Leader, UK

Not all border crossings are visible. The decision by the United Kingdom earlier this year to leave the European Union (EU) brings a basket of challenges and opportunities for the management and protection of personal data through cyber checkpoints, once the UK goes its own way. Personal data is a crown jewel of commerce, and the secure transfer and storage of data across national and regional borders is a hotly contested topic.

We examine this issue in our recent point-of-view paper, Responding to the Challenges and Opportunities Presented by Brexit — Data Protection and Management Implications, available for free download from our website.

Under current regulations, personal data can be transferred between countries within the EU, but it can only be transferred to outside countries that guarantee an adequate level of protection. The new EU General Data Protection Regulation (GDPR) — effective May 2016, with enforcement to begin May 2018 — which aims to harmonize existing data laws and strengthen data protection rules, was a long-time coming, and carries fines of up to four percent of global revenue for noncompliance.

Some UK companies have incorrectly assumed that, following Brexit, GDPR will no longer apply, and have drawn the conclusion that Brexit will simplify data governance. In fact, the timetable for GDPR compliance is likely to run ahead of the UK’s formal exit, which means UK companies will have to comply with the GDPR, even as UK regulators craft their own personal data rules and negotiate transfer terms with the EU. It is likely, as well, that the EU will require companies in the UK to continue to meet GDPR standards as a condition of access to the EU market.

The split also raises questions for UK companies with data centers and cloud providers in the EU, and vice versa. Even if not required by the GDPR, many EU companies restrict suppliers from exporting personal data outside the EU, as part of their internal data risk management policies. That means some EU companies are likely to require suppliers to move data out of the UK and into EU data centers. Now would be a good time to take inventory of data locations and develop contingency plans.

Similarly, any ongoing business change projects approved before the Brexit vote and involving a significant IT investment should be reassessed and modified to address any implications on data storage and transmission. Given the broad definition of personal data under GDPR, virtually all projects will be affected. As a priority, all organizations should evaluate their data center strategy for these projects and decide whether it might be prudent to move or split data centers across different territories.

Organizations that utilize cloud service providers should determine what arrangements those providers have made for segregating data for EU and UK customers.

Client contracts should also be reviewed, and modified as needed, to clarify expectations on data residency and exchange.

As with any significant change, human factors can make or break the transition. Organizations should identify key decision makers who are likely to require early awareness training in order to keep abreast of potential changes in data protection legislation. Areas most likely to be affected include customer management, marketing, legal, compliance, human resources, IT, facilities, contracts, and project management.

We will continue to monitor this situation and revisit, as needed, as details become available. The above is just a summary; download the full paper here.

1 comment