GDPR post Brexit: what should firms expect?

07 October 2020

Data privacy has been a focal point among government leaders and business executives for a number of years.

In the wake of major scandals involving the likes of social media giant Facebook and telecom group Talk Talk, officials have joined forces to enact measures like GDPR in an effort to curb the mishandling of data — and give peace of mind to the public at large about their personal information and how it is shared.

However, the world is now in a very different place to when the General Data Protection Regulation (GDPR) law was made in 2016 – the year the British public voted to leave the European Union (EU) – and implemented in 2018.

Whether you voted for it or not in referendum, we have got “Brexit done” and severed ties with 27 EU member states in a bid to plough a lone furrow and “make our own laws”. Then there’s the small matter of the world at large running a Sunday service as it tries to deal with the Covid-19 pandemic.

Prior to the pandemic, one couldn’t move for news coverage of Brexit, GDPR and what “deal” prime minister Boris Johnson was going to announce on the steps of 10 Downing Street or in the House of Commons. Businesses and customers alike were still facing widespread data privacy issues and discovering the limitations and flaws of policies like GDPR. These include thousands of recent data breaches because of continued gaps in protection, and millions of dollars in fines for businesses that didn’t protect their customers or continued to misuse their privileged information. There are also complaints that government agencies are underperforming in their own measures, such as resources allocated to data protection watchdogs.

A significant component of the Covid recovery plan involves location tracking of patients and “contact tracing,” or logging details about the people who have come in contact with infected individuals. Now, there are plans afoot to see pregnant women who drink alcohol have all their consumption recorded on their baby’s medical records — even if they only had a single glass of wine. In other words, a near-future flurry of personal data leading to new privacy risks is a massive understatement.

On the plus side, the Data Protection Act (DPA) 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR) was passed to support the UK’s withdrawal from the EU. But what does that mean for enterprises in plain English?

“The one-word answer is ‘uncertainty’,” says Bill Gornall-King, partner at law firm Boyes Turner. “Most of the GDPR provisions have been incorporated in the DPA 2018, but the key question to answer is, with the UK being a third country from 1 January 2021, will EU member states be permitted to transfer personal data to the UK as now (and bear in mind that vast quantities of European data are processed in UK data centres)?”

Gornall-King further argues what is needed is an EU ‘adequacy decision’, adding that  the recent Schrems II decision of the European Court of Justice (ECJ) in the long-running dispute between Austrian lawyer max Schrems and Facebook Ireland, which has seen the dismantling first of the EU-US safe harbour as well as its replacement ‘Privacy Shield’ could cause the UK difficulties in achieving ‘adequacy’ in view of the UK’s own surveillance laws and its membership of the Five Eyes Alliance. “The UK faces the stark choice of maintaining current high privacy standards or the lower standards of the USA and elsewhere,” he says. “If the UK moves towards the latter it will be problematic for businesses to move personal data to (or through) the UK.”

However, Tim Brown, vice president, SolarWinds holds the belief that not much is likely to change for enterprises. “If an enterprise is GDPR certified it should receive the new certification without too much trouble,” he says. “The UK’s interpretation of GDPR is likely to resemble the current model so enterprises should expect to continue following similar requirements, such as satisfying data subject right requests. The rules aren’t likely to be rewritten; it’s the processes of administration, controls, and penalties that are likely to be updated.”

It’s a view shared by Olivier Subramanian, account principal at Contino, who says  

GDPR has been a big step forward in data protection and the management and organisation of information. “However, this change has come at a cost and created a great deal of uncertainty when first introduced,” he says. “If the UK pursues an independent data protection policy it is difficult to predict what the benefits will be.  However, it is clear to me that a different policy will bring change, cost and uncertainty to the business world.”

Although the 2018 legislation allows organisations “to continue business as usual” without having to interpret a new or different law to the EU, Neil Thacker, CISO EMEA for Netskope, says it also allows the UK to maintain good terms with the EU and supports and simplifies future trade agreements.

 “However, that said, a major challenge will be the changes and ruling by the EU on international data transfers,” he says. “At the end of the transition period and starting on exit day, the UK will become a third country, so a data transfer agreement will need to be established before data can flow freely between the UK and EU and vice versa. It is yet to be confirmed whether the EU will immediately give the UK an adequacy decision or indeed, any decision at all. Alternative options do exist, with many organisations already ensuring they have any data transfers covered by legal contracts with their service providers. These contracts with their providers and data processors will likely include Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) which are both considered valid on a recent ruling by the CJEU.”

For Rick Goud, founder and chief executive officer at Zivver, a secure digital communication provider, the ECJ decision is very relevant for UK data protection because this incident could potentially impact future data adequacy decisions countries seek with the EU.

“When the current GDPR is no longer binding in the UK in 2021 (from 1 January) and new data protection legislation is introduced, the transition can be done smoothly if the regulations are functionally similar,” Goud continues. “British lawmakers were, after all, involved in crafting the original GDPR, so any deviations should ideally be minor.  A synergistic approach to data protection would greatly help facilitate data flows between the UK and its largest trading partner, the EU, posing minimal disruption for businesses and cross border commerce. Additionally, many companies have already developed their processes and invested in their systems to be GDPR compliant since it came into effect over two years ago. Put plainly, organisations have enough on their plates these days, and lawmakers can help by limiting any changes to GDPR regulations in the UK to those that are strictly necessary.”

As you can imagine, there are a number of established law firms and pop-up “experts” ready to help enterprises who still can’t see the wood for the trees. Conexus Law, a specialist advisory firm is urging companies to prepare for the strong possibility that the EU will fail to agree that the UK has an “adequate data protection regime” after the transition period at the end of the year. The firm says it means that businesses will face barriers transferring personal data to and from the UK to EU countries under GDPR.

 “The UK’s use of mass surveillance techniques, our Investigatory Powers Act and our membership of the Five Eyes intelligence sharing community has raised particular concerns with the EU – especially in relation to the sharing of data with the US, and even more so given the recent Schrems II decision on the Privacy Shield scheme,” says Cornexus Law founder Ed Cooke.  “What is clear is that once a decision has been made then companies will need to move quickly to ensure they are not severely impacted.”

Cooke adds that failure to reach an agreement would mean that companies will need to look at alternatives such as Standard Contractual Clauses and binding corporate rules. He reiterates that merely relying on consent is not really an option for most businesses.

“Each of these options has its challenges with consent generally viewed to be unworkable as it can be revoked at any time,” Cooke says. “Standard contractual clauses were upheld in the ECJ in its judgment on Privacy Shield, but the judges did cast some doubt on whether or not these offer suitable protection in all cases without businesses adopting further practical measures such as encryption, to ensure the protection of personal data.” 

Does that mean businesses should be worried? Gornall-King says the Schrems II case “has thrown another grenade into the room anyway” and as its findings have yet to be fully reconciled with current practice across the EU (and UK).  “The message to businesses is not to panic but to take advice and action,” he adds.

Cooke concurs and says his firm is advising companies to start preparing now.  He recommends that companies should already have a full audit of what personal data they collect and where it is stored and transferred to, including back-ups that may be held by cloud-based providers with datacentres all over the world. This audit needs to include all suppliers and partners that data is shared with. Then, the next stage is to look at standard contractual clauses and decide whether further measures are required based on the specific data being transferred. If not, consideration should be given to additional methods such as encryption,” argues Cooke.

“It seems that an adequacy ruling under GDPR is being used as a Brexit bargaining chip in relation to other unrelated diplomatic negotiations taking place,” he concludes. “Unfortunately, businesses may end up bearing the brunt of this and I would highly recommend that they start to prepare now.”

A significant component of the Covid recovery plan involves location tracking of patients and “contact tracing,” or logging details about the people who have come in contact with infected individuals

A significant component of the Covid recovery plan involves location tracking of patients and “contact tracing,” or logging details about the people who have come in contact with infected individuals

It has already been noted that the UK will need adequacy to GDPR if it wants full access to the EU markets and Mark Ruchie, vice president, chief information security officer for Entrust, says the 

“overall global trend” is that countries are increasingly focused on protecting information and ensuring consumer privacy.  He adds that as countries create their own data privacy and protection regulation they have used GDPR as the model, citing Brazil and the US state of California as examples of jurisdictions that have recently enacted data protection regulation.

“Regardless of the regulations, organisations need to focus on protecting PII, healthcare data, bank and credit information or any other sensitive data,” Ruchie continues. “Organisations can solve these problems by encrypting all of their data and ensure strong identities for their employees to access their networks.  This solves two main problems:  1) Strong identities (backed by a certificate) prevent bad actors from accessing the networks, applications and data. 2) Also using new technologies like passwordless authentication and single sign-on reduces the friction for employees when accessing networks and applications, improves security and, in some cases, eliminates passwords and replaces them with biometrics. Encryption ensures that if a data breach were to occur the information would be encrypted and useless to any bad actor.  Also in GDPR and other regulations, if the data was encrypted it is very likely to be exempted from data breach notification since such protection de-risks the impact on individuals’ rights and freedoms. Encryption or lack of it  (depending on the data at risk) can also be one of the important consideration factors for the data protection authorities in awarding financial penalties in the case of a data breach. For security-minded organizations, designing a data privacy program that complies with more mature regulations, such as the GDPR, will allow them to stay nimble and adjust more quickly as new regulations come into force—rather than having to constantly scale up.

The primary challenge, since the GDPR was enforced, is that the internet allows for data to flow freely across borders and for many organisations that use the cloud - aligning these data flows with contractual agreements has been difficult. Thacker says that today, every organisation is mandated to maintain an up-to-date Record of Processing Activities (ROPA) both under Article 30 of the EU GDPR and section 61 of the UK DPA 2018. “In summary, a ROPA is an inventory for all personal data an organisation holds, where it is held (geolocation etc.) and what data controllers / processors are used. With large enterprises consuming over 1000+ cloud apps (and every cloud app provider likely to be a data processor) maintaining this record and understanding which provider has a valid contract covering data transfers is not a simple task especially with shadow IT being commonplace for most organisations,” he says. “For enterprises across the UK and EU, now is the time to ensure their ROPA’s are regularly updated and that visibility is sought into every new data controller / data processor agreement. In addition, employees should be educated in real-time when they attempt to upload personal data records to a cloud app that does not have a valid agreement in place. Technical controls such as a Next-Generation Secure Web Gateway (NG-SWG) and / or a Cloud Access Security Broker (CASB) that align with the organisations ROPA and can be used to identify and apply this level of control.”

However, Goud implies that there may not be a blanket rule for all in that sector specific data protection standards are evolving.

“When it comes to data protection legislation, many of us tend to think of the GDPR or the DPA, but there’s much more to be aware of than that,” he adds. “That’s because industries such as healthcare and legal are rapidly adopting their own standards to facilitate secure digital communications for their specific needs. We’ve seen this recently in the Netherlands, where a new standard for exchanging ad-hoc digital communications in the healthcare sector, known as the NTA 7516, was introduced earlier this year. The legal sector also has plenty of incentive to transform how communications can be safely exchanged, as many law firms still rely heavily on fax machines or mail couriers to send communications. Establishing these new standards can help companies transform how they interact with their contacts, while creating new opportunities and cost savings potential. You can expect to see more of this in the UK, the rest of Europe and beyond in the coming years.”

Regardless of what laws are in place, security remains key for enterprises and so many will want to know what they could expect to happen now that the UK is no longer part of the EU.

Should enterprises have security fears as a result of Brexit, or is that just more scaremongering being pedaled by the editors on Fleet Street?

“Change always creates opportunities – for businesses it offers a chance to grow or scale, but for the bad guys it is an opportunity for them to profit off uncertainty,” says Brown. “Look no further than Covid-19 which saw a sharp increase in phishing, ransomware attacks, and other scams. But enterprises shouldn’t have specific security fears; rather they must be wary that the UK will be undergoing change which can create gaps and opportunities that weren’t there before.”

Still, Brown says the UK should feel pressured into introducing new knee-jerk legislation and  shouldn’t evaluate if the GDPR regulation works, but if the model works. “For example, do penalties work as a deterrent, do the administration processes work and is the method of reporting accurate?” he continues. “If the UK finds that the model isn’t working, this offers a chance to evoke change to help mitigate specific concerns. The UK must also consider if the regulation is purely a privacy initiative or if it could drive the economy as well. The new regulation could state that all data collected must remain within the UK, for example. Not only would this spur the number of data centres and equipment required, but also create jobs. Yet this pressure to review and perhaps change processes will come from those within the UK.”

Nevertheless, it’s already getting interesting ahead of the end of the Brexit transition period. The afore-mentioned Facebook last week threatened it might not be able to provide its platforms in Europe under new regulatory changes, it has threatened. The company said it would not be able operate on the continent if it cannot move user data between Europe and the United States. Indeed, the Irish Data Protection Commissioner has suggested that it would enforce a European Court of Justice ruling that would mean such data transfers would breach (GDPR).

The general consensus is the concept of GDPR will prevail in the UK regardless of what deal is signed. “While the name might change, and processes might become more effective, the privacy rights will remain,” says Brown. “The notion of maintaining privacy and data protection, which underpins GDPR, is essential, and is a model which is being implemented around the world.”

Nevertheless, there’s no navigating the fact that GDPR is still going to be relevant post-Brexit and Nigel Thorpe, technical director, SecureAge reinforces that any organisation that works with European businesses or consumers will still need to comply in order to continue operating in the territory. The UK will also retain data protection legislation which, in the short term at least, will continue to look a lot like GDPR.

“Whatever the future means in terms of changes to UK or European data protection, the principles of GDPR remain good business principles,” says Thorpe. “What consumer is going to trust an organisation which has poor controls over their personal data? And ‘security by design’ is just good business sense. In today’s world of immediate news coverage, customer trust in an organisation can be lost in seconds, so doing all that is possible to mitigate security threats is an essential investment.” No doubt, things will be a lot clearer in early 2021. Even if there is still lots of uncertainty. n