GDPR and Brexit: How Will One Affect the Other?
The European General Data Protection Regulation, or GDPR, sent businesses into a frenzy to become compliant in the weeks and months leading up to its introduction on 25th May 2018. But with Britain imminently due to leave the EU, organisations will likely face further uncertainty. We look at GDPR and Brexit and how this political upheaval will impact how organisations gather and process personal data.
What is GDPR and Why is it Important?
GDPR-imposed obligations dictate how organisations should process “personal data” and provided individuals with more control over their stored data. Before its introduction, the data protection laws governing Europe were created in 1995 with the Data Protection Directive, on which UK law was based, but it struggled to keep up with technological advancements. GDPR is enforced by the Information Commissioner’s Office (ICO) and can lead to significant penalties for non-compliance.
News of data breaches has been prevalent over the last 12 months, with credit agency Equifax notably fined £500,000 for failing to protect the data of 15 million individuals whose personal data, including addresses, passwords, driving licenses and financial details, was stolen by hackers. Having taken place pre-GDPR, the business was slapped with the maximum possible fine under the Data Protection Act (1998). But under GDPR, businesses that fail to comply or protect data can now expect far more significant fines of €20,00,000 (£17.6 million) or 4% of the total global annual turnover (whichever is larger) for the most significant data breach. In January 2019, search engine giant Google was fined a substantial €50 million for various breaches, including a lack of valid consent for serving personalised ads to users, in what has so far been the largest penalty issued for violating the directive.
Where are We at with Brexit?
Following a referendum on 23 June 2016, Britain was initially scheduled to exit the EU on 29 March 2019, after what can only be described as a turbulent and chaotic process. This was later extended to 12th April 2019 before being further postponed until 31st October. The UK government is now scrambling to put an agreement in place, but this is becoming increasingly unlikely — Prime Minister Boris Johnson has recently said, “this is not going to be a cinch… I’m afraid we will have to prepare to come out without an agreement.” With a no-deal Brexit becoming an increasingly apparent reality — despite previously being quoted as “vanishingly small” — many businesses will be questioning how it will affect data protection.
What Will Happen with GDPR if the UK Leaves the EU?
Assuming that a further extension isn’t granted and that Brexit is scheduled for October 2019, we have two answers for you.
GDPR and Brexit: The Short Answer
If the UK leaves as planned in October with no agreement in place, the short answer is that data protection will not be immediately affected. While a European Directive, the UK signed GDPR into their own national policy: The Data Protection Act (2018) — a successor to the previous 1998 act. Under the EU (Withdrawal) Act 2018, the UK retains GDPR in UK law, so the obligations that organisations poured intensive resources into complying with will remain in effect, although the government has stated that it will make “appropriate changes” to ensure the law works effectively in the new context of Britain no longer being a member of the EU. Both the ICO and the British government have stated that post-Brexit, GDPR will continue to be enforced.
In short, there would be no immediate change to the UK’s data protection standards.
GDPR and Brexit: The Long Answer
Of course, with so much confusion surrounding Brexit, this is hardly a cut-and-dry answer.
GDPR and, as it stands, the Data Protection Act, allow personal data to be shared between EU Member States. But with the UK set to no longer be a part of the EU, this is where the situation becomes more complex. The directive notably prohibits the transfer of personal data to “third countries” outside of the EU that do not ensure adequate protection. Upon the UK’s exit from the EU, the UK will be considered a third country.
So is there a solution?
GDPR includes a provision that allows the European Commission to deem a country’s “adequacy” where it decides that it can demonstrate adequate data protection laws — in other words, that the UK is a safe place for data processing. This allows EU member states to freely transfer personal data as though it were another Member State.
There is a precedent for this, with countries including Argentina, Isle of Man, Jersey, New Zealand and Switzerland recognised as offering adequate protection by the European Commission.
Given that the UK ‘s Data Protection Act is directly drawn from GDPR, the UK should meet the criteria, but this does not necessarily mean that this is what will happen, especially given a tenuous-at-best relationship with the EU. Even in this case, the formal assessment process to achieve adequacy can take months, even years, and the Commission is taking the staunch position that it will not commence the process until the UK has left the EU and is already a third country.
This leaves Britain in a difficult position where even if adequacy is granted, many businesses could face difficulties and considerable uncertainty complying with GDPR.
When the government states that GDPR will continue to be enforced, it refers to the transfer of data from the UK to the EU, which will continue as it has since the directive came into effect. But UK organisations that receive the data of EU citizens will need to be prepared for a situation where there will be an increased need for compliance by EU organisations sending personal data to the UK. This poses a considerable burden to ensure every data transfer is lawful, and it’ll be far from the simple process it is now.
What Should Businesses do With Regards to GDPR and Brexit?
Businesses rely on personal data — any data that can be used to identify an individual, including their name, physical address or IP address — to operate; no HR manager could work efficiently without it, and no business could take payments and offer services or deliver products without it. A disruption to the transfer of such data could significantly affect your ability to work.
The government is advising organisations to prepare contracts to ensure that the transfer of EU personal data is compliant with GDPR. Where absent, contracts should include Standard Contractual Clauses (SCC) or Alternative Transfer Mechanisms (ATM), which will support the legal receipt of personal data from the EU. It’s important to note that this will not affect transfers between businesses within the UK or from the UK to the EU. In this case, there’s no need to take action, but for businesses operating on a global scale, it’s doubly important to ensure compliance with GDPR.
Choose Compliant Software
Businesses rely on a range of software to streamline their processes, make their business more efficient and perform critical functions. When selecting software for your business, it’s important to make sure it’s designed with GDPR compliance in mind.
At Callstream, we offer call management and secure payment platforms that are GDPR and PCI DSS (Payment Card Industry Data Security Standard) compliant. Where GDPR outlines what data needs to be protected, PCI DSS provides the roadmap to achieve it. By opting for a PCI DSS-compliant solution, you can be certain that all card payments you process over the phone are done so securely to protect sensitive data and eliminate the risk of a breach and, therefore, the costs of non-compliance to both your finances and your reputation.
When you use Callstream Vault, callers make payments via a secure gateway. Rather than have to provide their card details to an operator — and call-recording software — customers are asked to enter them via their handset’s keypad. This information is encrypted and sent directly to the merchant, ensuring the entire process is safe, easy and completely GDPR and PCI DSS compliant.
When considering a new software provider, whatever your business needs, it’s vital to do your homework. Many providers claim to be compliant, but this is not always the case. Those that are will have a certificate of compliance, be audited by an approved Qualified Security Assessor (QSA), and will be happy to provide you with evidence of meeting the necessary standards.
While the issue with Brexit and GDPR isn’t clear-cut, and we won’t know exactly what will happen until we leave the EU, there are preparations businesses can make, and it’s prudent to expect the worst. Protecting customers’ data is vital — and will continue to be — regardless of our relationship with the EU and the role of GDPR in UK law.
Britain’s impending exit from the EU far from offers UK organisations a get-out-of-jail-free card when it comes to protecting users’ data. Ensure you are GDPR and PCI DSS compliant regardless of the impact of Brexit with Callstream’s range of secure call management and payment platforms. Get in touch to find out how we can help your business.