With our exit from the EU ‘officially’ coming at the end of 2020, many businesses have been left wondering what exactly they should be doing about data protection, and how important it is that your organisation meets GDPR guidelines. Don’t worry if your business is feeling baffled - here are the key facts you need to be aware of if your business stores personal data outside the UK.
What is GDPR?
GDPR stands for the General Data Protection Regulation, and it's a privacy ruling from the EU. It concerns the privacy and protection of all personally identifiable information, and it came into force on 25th May 2018.
Under GDPR, your business is required to protect the personal data of both customers and employees. It applies to Business-to-Consumer (B2C) and Business-to-Business (B2B) organisations - in fact any organisation which stores or processes data of EU citizens. Your business does not need to be based in the EU for these regulations to apply.
Wait, haven’t we left the EU yet?
The UK is now in a transitional period until the end of 2020 in order to develop a new trade agreement with the EU. This means that no changes need to be made in the way that you process and store data until the end of 2020; you just need to continue to meet the EU's GDPR guidelines.
What should businesses do after 2021?
It’s difficult to know for certain, as we’re not sure how the negotiations with the EU will progress. According to the ICO, ‘The Data Protection Act 2018 (DPA 2018), which currently supplements and tailors GDPR within the UK, will continue to apply. The provisions of GDPR will be incorporated directly into UK law from the end of the transition period, to sit alongside the DPA 2018.’
If this takes place at the end of the transition period, and the provisions of GDPR are incorporated directly into UK law, then businesses won’t need to make any changes to how they process and store data - they just need to continue to meet the Data Protection Act’s guidelines, and follow updates and guidance from the Information Commissioner's Office (ICO).
The EU and adequacy agreements
Countries that are not part of the European Union use adequacy agreements as a way of protecting personal data. This agreement states that the EU is satisfied that the non-EU country meets their standards of data protection, and as such agrees that data can flow between the non-EU country and EU countries. As such, this could be beneficial to the UK. The assessment for an adequacy agreement began on 1st February 2020.
However, the EU might not accept our data protection guidelines unless there’s a stipulation that we update our Data Protection Act in alignment with GDPR - in order to preserve the privacy of EU citizens as technology progresses. If the UK diverges from this alignment, that may cause problems in data transfers between the EU and UK, and we may fail to meet the EU's standards.
In this instance, assuming no adequacy agreement is reached, the UK would become what is known as a 'third country'. A third country is a country which the EU deems offers insufficient data protection for EU citizens, and would mean that data transfer between the UK and the EU would be illegal. This would have huge ramifications for businesses in the UK, who may have to change where they store their data.
So what should businesses do?
It's important to keep checking the ICO website and following their advice and guidance in regard to Brexit. The ICO doesn't expect their guidance or advice to change between now and the end of 2020, but keeping an eye on Brexit and the implications it has for data protection is necessary if you store personal data outside of the UK.
If you do feel that you need further advice on GDPR, consider getting in touch with CyberShelter. They offer GDPR compliance advice, and can help you stay abreast of data protection news and updates.
Tweet us @TranscenditUK
