Data protection could make securing a Brexit deal more complex, says Compliance Compendium

Brexit is presenting many questions particularly around the issue of data protection, however Compliance Compendium’s Gareth Gadd has explained how compliance requirements may change following the UK’s exit from the EU.

Much of EU trade has a data element to it, Gadd explained, and all EU and EEA countries handle data such as personally identifiable information in a similar way. This aspect plays an important role in how data is transferred across the region in business sectors such as banking and insurance.

Around 13 per cent of the $9.9bn of capital invested in RegTech companies since 2014, was invested in start-ups providing GDPR solutions, according to RegTech Analyst data. This makes GDPR the third most invested regulation behind, KYC and AML.

“If you take the above at face value, everything should continue as normal after Brexit and we will continue exactly as we are now because we adopted the EU’s GDPR into UK law,” Gadd said. “Sadly, EU negotiators don’t seem to think the same way. Much has been made of technical issues that prevent the reaching of an agreement.”

The UK is currently a member of the European Data Protection Board, however it might not be for much longer as the chief EU negotiator Michel Barnier is against the UK being a member of the EDPB after Brexit.

Gadd has said this presents a number of issues, for example, Who would launch an infringement against the UK in the case of misapplication of the GDPR?  Who would ensure that the UK updates its data legislation every time the EU updates the GDPR?  And, how can the uniform interpretation of the rules on data protection be ensured on both sides?

More so it remains a point of contention whether the UK would be bound by legislation from the European Court of Justice after Brexit, he added.

“If we were not signatories to ECJ rulings then we would not be adopting future European case law into our legislation post-Brexit. This would lead to a bifurcation in UK and EU legislation. The EU may then have grounds to say that our data protection laws were no longer ‘adequate’.

“Much of that would seemingly be solved by the UK’s continued presence on the EDPB.”

Bariner has said that the only way to address the aforementioned issues is through an “adequacy decision”, while the UK’s own information commissioner Elizabeth Denham said that a data treaty is the preferable option.

Gadd points to an arrangement the EU has with the US called the EU-US Privacy Shield. Gadd explained that this aggrement exists despite the US having a lower standard of personal data privacy than the UK under GDPR.

“Other issues arise around UK security legislation (e.g. the Investigatory Powers Act 2016) which would make an adequacy ruling difficult and explains why the UK Information Commissioner would prefer a data treaty similar to the US,” Gadd concluded.

The UK Information Commissioners Office has provided six steps all businesses should consider regarding data and the effect of leaving the EU.

  1. Continue to comply.
  2. Consider transfers to your UK business from the EU and EEA and the safeguards needed to ensure that data can continue to flow.
  3. Consider transfers outside the UK so that you can document the new basis for those transfers.
  4. If you operate across Europe consider how the different data protection regimes apply to you.
  5. Review your privacy information and internal documentation.
  6. Ensure that your organisation is aware of key issues.

Enjoyed the story? 

Subscribe to our weekly RegTech newsletter and get the latest industry news & research

Copyright © 2018 RegTech Analyst

Investors

The following investor(s) were tagged in this article.