18 July 2016

What does Brexit mean for data protection?

As the fall-out from the UK referendum rumbles on, businesses are understandably asking questions about what it means from a data protection point of view.

Will we still be governed by EU law when it comes to data privacy and data sharing? Will the EU General Data Protection Regulation (GDPR) that has been on the horizon for so long still apply? What should we be doing in the run-up to Article 50 being invoked and during the two year exit phase? What happens with Privacy Shield negotiations between the EU and the US?

From Kroll Ontrack’s point of view, very little has actually changed and businesses should be confident that whatever happens, the spirit of GDPR is likely to apply whether the UK stands completely alone, joins the European Economic Area (EEA) or the European Free Trade Association (EFTA) or avoids Brexit altogether for legal or constitutional reasons.

The UK will continue trading with the rest of Europe (and beyond) whether that’s via bilateral or unilateral trade agreements and will therefore need to abide by the more stringent regulations built into GDPR, even if it does not adopt it wholesale.

Companies holding data subject to GDPR will still need to ensure they are ready for the following:

  • Increased fines for data breaches (up to 4% of annual global turnover)
  • A “privacy by design” provision requiring that data protection is designed into business services
  • Adopt measures to protect data right from the start of a client engagement
  • Obtain explicit consent for the collection and processing of data and the appointment of an independent data protection officer
  • A “right to be forgotten”: clients have the right to request the deletion of personal data. Companies will need to take steps to comply with such requests
  • A prohibition on data being transferred outside the EU without approval from the relevant supervisory body

The GDPR continues to prohibit data transfers across borders and imposes harsher financial penalties for non-compliance. Although the EU offers various options to facilitate these transfers, these are complicated and time-consuming. At the most basic level, organisations operating within the EU or trading with the EU will need to show  that they are not moving data across borders  for processing unless the correct procedures are strictly followed , whether that’s for recovering information,  ensuring that personal data is erased or for ediscovery purposes.

This is why it is important for multinational organisations and local businesses alike to work with partners that  have a national presence within a country’s borders and the experience and solutions to facilitate data transfers in a complaint way.

Kroll Ontrack is an international business, with a large network of local data centres and data recovery labs. This enables us to provide in-country services for companies wherever they operate, and whatever the eventual final outcome of the referendum proves to be. We have always catered for the data protection needs of our clients as they take all laws and regulations into consideration.