With the Conservative Party’s win in Britain’s general election back in December, Brexit is back on track. The clock is now ticking on Britain’s move out of the EU on January 31, and the final deal is meant to be ready by the end of the year.
That’s not much time to prepare, especially for companies entrusted to protect customer data. With the enactment of the General Data Protection Regulations (GDPR) in 2018, the European Union became the world leader in data protection. In our increasingly data-driven world, GDPR hands power back to everyday internet users and streamlines the transfer of data to third parties without the same protections in place.
With the UK heading out on its own, implications of leaving GDPR may find companies having to navigate their own version of regulations. It may be messy.
The technological becomes political
Data is more than just information. It’s money. It’s power. It’s intellectual property. Perhaps most importantly in today’s world, it’s political capital.
Thanks to the UK’s European Union Withdrawal Act of 2018, many EU laws — including GDPR — will become UK laws upon exit. That will allow the UK to put its own version of GDPR into place, mirroring the exact regulations that have already existed up until this point.
Brexit has the potential to create barriers that will become political negotiation points, similar to those of trade agreements. Data processing and data control are examples of potential obstacles. For example, after Brexit, a cloud service company in the UK that deals with data of citizens will have to navigate its process and storage in the EU.
Data will become one more sticking point to fight over. Without a formal agreement in place under Brexit, countries may prefer to do business or share data only with those still in the EU.
Circumnavigating potential friction points
The US and the EU have a Privacy Shield framework in place that allows companies in both countries to work around potential friction points while maintaining data privacy standards. That allows the countries to work around the GDPR’s restrictions on sending personal data to a third party.
Similar to a trade agreement, companies sign a basic agreement to data share and agree on underlying rules and requirements. That framework enables US-based tech behemoths like Google and Facebook to process and store data in the EU without any problems.
Since the US agreement was signed with the EU, that could leave the UK out in the cold when it leaves the union. That leaves gaps in two relationships: The UK’s data-sharing relationship with the US and the UK’s data-sharing relationship with the EU.
Updating the Privacy Shield to specify an agreement between the US and UK is easy enough. US companies will need to update the wording on their Privacy Shield commitments, explicitly adding the “United Kingdom” to their current commitment statements. Agreements between the UK and the EU are a bit more complicated, but both parties have said they are “committed to ensuring a high level of personal data protection to facilitate such flows between them.” They hope to have those agreements in place by the end of any post-Brexit transition period.
No turning back
The only way forward for companies that want to thrive in any country is to be cognizant of data use. GDPR sent a bold message to tech giants all across the world: The days of the lawless internet are over. With GDPR, even companies without business dealings in the EU were essentially put on notice that their clock was ticking: How long could they reasonably expect to go before consumers outside the EU demanded the same control and safeguards over their personal data?
Indeed, there is a long list of similar requirements from other countries on the horizon — most notably, the California Consumer Privacy Act (CCPA), which other states in the US will be watching closely now that it went into effect on January 1.
If they don’t want to fall behind, companies should always follow best practices for personal data collection, usage, consent, and storage. Getting in line with GDPR is prescient preparation for the future.