Brexit Raises Questions About Personal Data Protection

Mark Peters, Managing Director UK Practice Lead & Practice Innovation Lead, Internal Audit and Financial Advisory

Not all border crossings are visible. The decision by the United Kingdom earlier this year to leave the European Union (EU) brings a basket of challenges and opportunities for the management and protection of personal data through cyber checkpoints, once the UK goes its own way. Personal data is a crown jewel of commerce, and the secure transfer and storage of data across national and regional borders is a hotly contested topic.

Under current regulations, personal data can be transferred between countries within the EU, but it can only be transferred to outside countries that guarantee an adequate level of protection. The new EU General Data Protection Regulation (GDPR) — effective May 2016, with enforcement to begin May 2018 — which aims to harmonize existing data laws and strengthen data protection rules, was a long-time coming, and carries fines of up to four percent of global revenue for noncompliance.

Some UK companies have incorrectly assumed that, following Brexit, GDPR will no longer apply, and have drawn the conclusion that Brexit will simplify data governance. In fact, the timetable for GDPR compliance is likely to run ahead of the UK’s formal exit, which means UK companies will have to comply with the GDPR, even as UK regulators craft their own personal data rules and negotiate transfer terms with the EU. It is likely, as well, that the EU will require companies in the UK to continue to meet GDPR standards as a condition of access to the EU market.

The split also raises questions for UK companies with data centers and cloud providers in the EU, and vice versa. Even if not required by the GDPR, many EU companies restrict suppliers from exporting personal data outside the EU, as part of their internal data risk management policies. That means some EU companies are likely to require suppliers to move data out of the UK and into EU data centers. Now would be a good time to take inventory of data locations and develop contingency plans.

Similarly, any ongoing business change projects approved before the Brexit vote and involving a significant IT investment should be reassessed and modified to address any implications on data storage and transmission. Given the broad definition of personal data under GDPR, virtually all projects will be affected. As a priority, all organizations should evaluate their data center strategy for these projects and decide whether it might be prudent to move or split data centers across different territories.

Organizations that utilize cloud service providers should determine what arrangements those providers have made for segregating data for EU and UK customers.

Client contracts should also be reviewed, and modified as needed, to clarify expectations on data residency and exchange.

As with any significant change, human factors can make or break the transition. Organizations should identify key decision makers who are likely to require early awareness training in order to keep abreast of potential changes in data protection legislation. Areas most likely to be affected include customer management, marketing, legal, compliance, human resources, IT, facilities, contracts, and project management.

We will continue to monitor this situation and revisit, as needed, as details become available.

Learn about Protiviti’s Data & Analytics services and read related blog posts on The Protiviti View.

1 comment