BREXIT, PRIVACY SHIELD, GDPR AND BEYOND: WHERE DO WE GO FROM HERE?
For most of us, the summer holidays have brought with them both a welcome respite from work and the seemingly endless tide of Brexit stories. It was inevitable, of course, that such a momentous decision should spark so much writing and opinion, and yet what have we learned for sure? Editorial has been largely predicated on a whole host of ifs, buts and maybes and until we are a long way down the post Article 50 Brexit implementation path, it’s unlikely we’ll get the sort of clarity we’re craving.
All of which makes for a far from ideal scenario for those organisations wanting some certainty on what to do today to secure the best possible tomorrow. Naturally, we’ve had a lot of questions from clients and prospects around the issues of data transfer and hosting in the light of the Brexit vote, but devoid of a crystal ball, we can only set out the facts and offer advice in good faith.
So what do we know for sure? With experts now identifying 2019 as the earliest we’ll be out of Europe, it does mean that UK companies will have to adhere to the GDPR when it comes in to final force on 25th May 2018. Anyone hoping that Brexit would help them avoid having to seriously upscale their data handling capability will not only have to think again but also get their skates on to ensure they are GDPR-ready. And if anyone is tempted to think that such a big effort for such a short-lived compliance period is over the top (we could be out of the EU a year later), then understand this: any UK company which trades in the EU will have to comply with the GDPR regardless, as they are processing EU citizens’ data. Moreover, the smart money is on the UK upgrading its data protection laws to a GDPR level standard anyway, as part of the smoothing of the trading way and a demonstration of the ‘adequacy’ of its privacy provisions that the EU is likely to demand as part of any new trade agreement.
A further complication is that a UK out of Europe is also a UK outside of the new US/EU Privacy Shield data transfer mechanism, that came into being on August 1 to fill the vacuum left by the invalidation of the Safe Harbor agreement. So again, we have the prospect of maybe three years of certainty as regards UK/US transfers while we’re ‘in’, followed by the creation of a new framework once we’re ‘out’. Once again, GDPR strength provisions would seem to be a sensible basis for this, but the complexity and sensitivity of data privacy issues and the relationships between the two nations on this subject will mean that we’ll just have to wait and see what transpires.
So we find ourselves in a rather curious position, not quite in limbo as we know how things stand until some as yet unspecified point in 2019 (or even into 2020 perhaps) and have a reasonable feel for the direction of travel as regards changes to data privacy regulations; and yet still with a feeling that we are on shifting sands, at the mercy of legislators and regulators both within and without the UK.
Against this unsettled background, what advice can we offer with any confidence? Well, there is a great temptation to cut through these difficulties by keeping things simple, and the simplest solution on offer is one built around data sovereignty: keep your data within its sovereign jurisdiction. That is the single most defensive move you can take to safeguard you against the inevitable buffeting that will follow as the UK transitions out of the EU. Once everything is sorted out, then there may be other options that become available that are more attractive operationally or commercially, but those days are distant and you have decisions to make now.
The Brexit vote was seen as a vote for sovereignty. In more ways than one, it would appear.