Following a long period of political turmoil, the UK government’s Brexit withdrawal bill has completed its passage through the House of Commons and received royal assent.
While this deal is merely the starting point of the Brexit process, it sets into motion an intensive period of trade negotiations which, regardless of whether a deal is agreed or not, could have a significant impact on the way that UK organisations operate.
One of the areas that will be discussed during the transition period, which comes into effect from 31st January, is data protection. The period of Brexit uncertainty is far from over, and this blog examines how potential changes could impact the ways in which data will flow between the UK and EU, and what compliance requirements UK organisations need to be aware of.
What is the EU Withdrawal Agreement?
The European (Withdrawal Agreement) Act 2020 is an Act of the UK Parliament which makes legal provision for ratifying and implementing Brexit into domestic law in the UK.
The initial Brexit Withdrawal Agreement Bill was published in 2018. Following an extended negotiation process and repeated rejections of the Bill in Parliament, an amended version was finally passed and enshrined in law on 23rd January 2020, meaning the UK will leave the EU on 31st January 2020.
What comes next?
Under the European (Withdrawal Agreement) Act 2020, a transition period will run from 31st January 2020 until 31st December 2020. During this time, current EU rules will continue to apply to organisations in the UK, as UK and EU leaders attempt to negotiate a future trade deal and arrangements for security and law enforcement.
During the 11-month transition period, the UK will remain in the EU’s Customs Union and Single Market but will be outside its major political institutions and will have no representation at the European Parliament.
With the UK government having already ruled out any form of extension to the transition period, time is short to agree a deal, and negotiations are unlikely to be easy.
Implications for UK data security
During the transition phase, while UK and EU negotiators discuss future data protection arrangements, the General Data Protection Regulation (GDPR) and Data Protection Act (DPA 2018) will continue to apply to organisations in the UK. Likewise, organisations that provide essential services will need to continue to comply with the Directive for Network and Information Systems (NIS Directive).
There has long been a concern at the prospect of a post-Brexit world burdened by interruptions to data flows between UK and EU organisations. Both UK and EU authorities have stated that they are committed to avoiding this scenario after the transition period, ensuring a high level of data protection and the free flow of data.
The Withdrawal Agreement states that EU citizens’ data processed in the UK prior to and before the end of the transition period will be processed in line with existing EU law. The most desirable outcome of negotiations from a UK perspective is likely to be an ‘adequacy decision’, whereby the EU recognises UK data protection standards to be on a par with those upheld by the GDPR.
The Data Protection Act 2018, the legislation responsible for upholding GDPR standards in the UK, is already in force so this should help to make an adequacy decision easier to achieve. The same is true of the Network and Information Systems Regulations 2018 (NIS Regulations) which transposes the requirements of the NIS Directive.
Should an adequacy decision fail to be adopted, an alternative option could be a Privacy Shield-type agreement similar to the one currently in place between the UK and the US.
Given the way things currently stand, businesses are advised to continue to maintain GDPR, DPA and NIS compliance for the foreseeable future. This includes ensuring technical measures and robust procedures are in place to protect personal data and detect and investigate personal data breaches.
Support with meeting current and future regulatory requirements
As an award-winning provider of managed security, assessment and consultancy services, Redscan is experienced at helping organisations to improve data security in line with the requirements of the GDPR, DPA, NIS Directive and other compliance standards.
If you’re looking for a partner to help your organisation improve risk awareness, develop and deploy a security testing programme, or implement the capabilities needed to prevent, detect and respond to cyber threats, get in touch to learn more about how we can help.