There are a number of concerns about personal data since our departure from the EU.
What does it mean now for our DATA? Do you need to do things differently? What about DATA sovereignty?
Can we wave goodbye to GDPR after Brexit?
No. Just because we have left the EU, it doesn’t mean we can ignore GDPR.
On the subject of data sovereignty all this means is the laws and governance surrounding how data is controlled and processed, which is governed by the legislation of the country in which it was collected. Anyone processing data must control it and process it in a way that complies with the data privacy laws and regulations of that host nation. In our case the DPA 2018.
The ICO remains the independent supervisory body for the UK’s data protection legislation.
The UK government wants to maintain the high standard of the GDPR. When the GDPR came out in 2018 the UK replaced the old DPA of 1998 with an updated 2018 version. This states we will fully comply with the GDPR.
In any case, if your are processing the personal data of EEA citizens then you will still need to comply with the GDPR. This includes customers, clients, suppliers and employees.
Is there anything else I should know?
Yes, there are a couple of regulations that derive from EU law relating to data protection you need to know about.
- Privacy and Electronic Communications Regulations (PECR)
- Network and Information System regulations 2018
The aim of these is to establish trust in electronic transactions between businesses, citizens and public authorities. Its an EU law which came into force in 2016. This also still applies to UK law and is referred to within the DPA 2018. There is also the electronic identification authentication and trust services regulation known as EIDAS, and not forgetting the Freedom of information act 2000. This still applies in the UK, and in particular the public sector.
What am I expected to do?
First you need to take a step back and not panic. It’s a good idea to carry out a risk assessment to help you understand what the risks are now following Brexit. Risks in your supply chain for example, where are you sharing data, what data your processing and where this is happening.
Take a close look at data sovereignty and consider if you would be better off processing in the UK rather than holding data in a cloud somewhere in the EEA. This is an advantage because it means the data will be subject to UK data protection legislation making it far more straightforward for the information you hold on UK citizens.
Reconsider reviewing your data, where you store it and who you are sharing it with. This will ensure you have the right safeguards in place.
Just because Brexit has now gone through it hasn’t affected how you handle data. You are still accountable for the protection of personal data. The ICO has stated you should still comply with the GDPR.
The ICO has outlined steps you can take for data protection.
- Continue to comply. Comply with part 3 of the DPA 2018 and follow ICO guidance
- Review your data flows and identify where you receive data from the EU. Talk with your European partners about whether they need to put in place any safeguards to ensure data can continue to flow
- Review your data flows and identify where you transfer data to the EU. You can then document the new basis for those transfers
- Review your privacy information, internal records and logs to identify any details that need updating now we are post Brexit
- Consider border risks, look into risks with your supply chain, do you know who you’re sharing data with, or who you rely on.
- Organizational awareness make sure key people in your company are aware of these issues and ensure they are kept up to date with the latest guidance.
Will gaining a certification help me?
ISO 27001 is the international standard for best practices when it comes to information security system management (ISMS). It will help you improve and implement measures required by both the GDPR and DPA 2018. At Net Defence we have the experts who can guide you all the way through the process right up to certification and even beyond to maintain your certification. Give our experts a call and we will get you on your way and give you the peace of mind that your data has all the necessary controls to protect it and avoid any penalties resulting in breach of regulations.