Brexit – The final is here

NOTE: This is NOT a Party-Political Post.  I don’t care how you voted, but…

It’s finally here! BREXIT Day.

If you’re like me, you probably thought it would never arrive. Like the eternal winter of ‘Games of Throne’ or Dry-January, we never thought we’d survive to see the end of it.

But we’re here. It doesn’t if you voted to remain, or to leave; 31^st January 2020 is a day that will go down in history. In a historical context, only time will tell if it’s a positive event or not.

Brexit means Brexit

So after 11 pm on the 31^st January what does it mean? What happens?

The short answer is… nothing. We will begin the process of extracting ourselves from Europe, but like a disgruntled ex-partner, we’ll slowly move out over the next 11mths until finally, we leave with belongings on the 31^st December 2020.

Over the next few months, lawmakers will need to negotiate some very tricky waters as we disentangle ourselves from European law during this ‘transition period’.

From the perspective of imports and exports, this is an incredibly complex and intricate area, and I for one, do not envy them.

But they are not the only ones who need to start delicate negotiations and planning.

Your work has just begun

If you thought that you could party like it’s 1999, I’m afraid you’ll be waking with a headache tomorrow to find that you have more work to do and it’s all because of our friend, the General Data Protection Regulation (GDPR).

The first thing to note about BREXIT is that nothing will change any-time-soon.  You will still need to comply with the GDPR, and what happens to GDPR at the end of the transition will depend on the negotiations over the coming months.

But the Information Commissioners Office (ICO) has already stated that EU GDPR will be brought into UK law, creating a UK-GDPR, although that may change dependent upon negotiations.

I’ll come on to what this could mean shorty.

One of the key issues surrounding BREXIT and Data is the idea of Data Transfers; The free flow of people and DATA will undoubtedly be impacted, and you need to think about what the impact is on you and your businesses. 

My suggestion would be to start doing this on the 3^{rd of} February. Because EEA if you are offering goods or services to people who are from the EEA, it is likely that after the transition period, you will need to appoint a representative from the EEA.

Organisations offering these services (both in the UK and in the EEA) are already busy. You’ll need to decide if you want a representative, and who that representative will be. 

It may sound like an easy task, and you’ve got 11mths to do this. But leave it too late, and you could be left out in the cold come December.

International Transfers

Knowing where your Data resides is something you should know already, but it’s worth asking the question of your hosting provider. 

“Where does my Data sit?” is a perfectly reasonable question.

“On the Cloud” Is not a good answer.

Remembering that ‘Cloud’ means “Someone else’s Computer”, you need to ask where in the world does the Data you control physically reside? (Remember you are the ‘Data Controller’ so it’s your responsibility to ensure it is secure).

If the Data you Control resides in the EEA, then you need to put in place a representative. It’s worth knowing that if you are a UK business or organisation that already complies with the GDPR and has no contacts or customers in the EEA, you don’t need to do much more to prepare for data protection compliance after Brexit.

To quote the ICO…

“If your business uses a cloud IT service which stores or processes data (including personal data) anywhere outside of the UK, (including in the EEA), it should review the requirements on international transfers.”

The easiest way to avoid any issues is to use companies who have dedicated Hosting services in the UK, or software companies that commit to using Data Centres located in the UK.  This way, you are not ‘exporting’ or ‘importing’ the Data and therefore international transfer rules won’t apply.

It’s all Fine.

A post that involves GDPR wouldn’t be complete if I didn’t mention the fines which can be brought about due to breaches of Data Protection. 

The first thing to say is that the likelihood of receiving a fine or sanction from the ICO due to a breach is very low if you can demonstrate you have taken appropriate measures to protect Data and the rights and freedoms of Data Subjects. 

This basically means; If you’re an organisation operating with good values and integrity, then you’re not likely to fall foul of the ICO and incur the huge fines we heard everyone crying about in 2018.

But wait… This is where it gets interesting. Let’s take a look at the words from the ICO for a moment;

“If you are a UK business or organisation with an office, branch or other established presence in the EEA, or if you have customers in the EEA, you will need to comply with both UK and EU data protection regulations after Brexit. You may need to designate a representative in the EEA.”

Yes, this means that at the end of 2020, we will most likely have an EU-GDPR and a UK-GDPR.  Both will be very closely aligned (we hope!), but what is quite is interesting is that theoretically a breach under EU-GDPR could also be a breach under UK-GDPR (and visa-versa).

This means that the much talked about fines of 20million Euros or 4% of global turn over COULD become 40million Euros and 8% of your global turnover!

1 breach x 2 Regulations = Lots of money.

I’m raising this as a hypothetical scenario, but there have been countless occasions where a UK company or international company has suffered a breach affecting more than one country, so it is quite plausible that regulators in those regions will seek to levy fines against the offending organisation.

Summary

BREXIT is almost upon us. It doesn’t matter now if we’re raising a glass to the old days or toasting the days to come. But one thing is for sure GDPR isn’t going away any time soon, and by the end of 2020, we may have double vision.

So when your hangover subsides, maybe start thinking about reviewing your GDPR Compliance programme again.