With the Brexit deadline looming, the possibility of a no-deal Brexit increases and with the Operation Yellow Hammer documents released last week, Matt Lock, Technical Director at data protection firm Varonis shares his views on the potential ramifications of a no deal Brexit in in terms of data privacy and sharing below.
Amongst the many scenarios we need to prepare for, there’s a GDPR equivalent to a ‘no-deal’ Brexit for data that will likely have repercussions for UK businesses. When the UK leaves the EU, it becomes a “third-country” under the GDPR rules. That means no personal data can be transferred to the UK. The result of this is IT chaos and heavy fines for companies that send data to the UK.
However, if the EU Commission decides the UK’s data security rules are “adequate”, then data can be transferred freely. Not surprisingly, the EU Commission has not yet handed down a decision. The EU has already declared, most notably, that Japan, the US, and Switzerland have adequate security and privacy laws. There’s a ray of hope since the UK’s Data Privacy Act is at least as tough as these – it is, after all, based on the GDPR language. To play it safe, EU companies can set up special standard contracts with each of their UK importers.
In practice, it means companies will need attorneys to set up special contracts. It’s less expensive to do business. Any UK company that receives data from an EU company—and which big UK company doesn’t? — is an “importer”. Maybe eventually they’ll work out an acceptability arrangement like they did with the US.