On the 1st January the Brexit deal came into effect. Despite waiting with bated breath for much needed clarification on the data protection issues we face here in the UK, an adequacy decision for the UK has been delayed for 4-6 months. So why the delay, and what does this mean?
Interim Transmission of Data
Article FINPROV.10A of the Brexit agreement provides an interim provision period for transmission of personal data, to the UK from the European Economic Area (EEA). An initial interim period of 4 months will be automatically extended to 6 months if neither party objects. Thus allowing data to freely flow between the UK and EEA. So it seems we can all breathe a sigh of relief, for now at least. Government guidance on how the new deal may affect your organisation can be found here.
Restrictions on the UK
This interim period effectively restricts the UK from making any changes to data laws while the EU assesses the adequacy of the UK to accept data from the EEA. A severe restriction on the UK’s autonomy, but one which may be palatable, as the adoption of EU GDPR into UK law has been mooted.
Why the delay?
Of course, many may look at the speed at which this was all put together in the interest of getting a Brexit deal, any deal, it isn’t surprising that some decisions were delayed. However, the UK government stated that they would automatically provide adequacy for EU organisations receiving data from the UK, so long as UK data protection laws were met. The EU on the other hand was not prepared to make such a bold commitment and so have therefore delayed the decision.
If the EU are not prepared to allow data transfers to the UK as it stands, extra safeguards would be required between UK and EEA business partners. Forcing organisations to check current contracts and impacting bidding for new contracts. Failure to comply would see EEA organisations fined by their member states. Putting UK Tech business at an instant disadvantage to their EU counterparts.
What does this mean?
With all this in mind, it is difficult to see that an adequacy decision will come without some major changes to UK law. Last year the Court of Justice of the European Union ruled that the UK, France and Belgium bulk data retention schemes were unlawful and not compatible with EU law.
In turn, the Schrems II ruling makes it difficult to see the UK not making significant changes to its surveillance laws with or without an adequacy statement.
So although this temporary transmission window is better for UK business than being on third-country terms, it still leaves much uncertainty. But one thing is for certain, that the need for organisations to independently demonstrate their infosec credentials has never been more important than it is now, whatever the outcome of a final agreement. EU firms will naturally be nervous about committing to UK tech suppliers.
UK firms can help themselves, by ensuring clear accreditation in international standards such as ISO 27001 and ISO 27701. This gives all tech customers the confidence that no matter what happens the policies and processes are in place to protect their data. If we are no longer protected by the EU GDPR we still have an international standard which we can use to protect our businesses.
You can read the ICO statement in response to the UK governments announcement on the extended period here.