Brexit. Leaving the EU and it’s laws. As a long time geek I’ve had the principles of the UK Data Protection Act drummed into me since I studied GCSE IT. It is the foundation of how we lay out the responsibility and liability for the care of the personal data we share with companies and other organisations – the data controllers.
I should say, I’m not a lawyer, I’m an IT guy come Information Security Practitioner, so I’m trying to get my head around this from a business and technology perspective…
The UK was actually ahead of the curve in developing this type of legislation. The EU Data Protection Directive and revisions caused a number of modifications of the Act over several revisions. The DPA as its referred to is largely an incredibly useful piece of legislation in that has been the template for similar laws globally – which are now considered the norm around the free trading world.
Should the UK exit the ‘EU’ but remain in the Common Market (EEC), the EU Directives would still apply. As such transfers of data across the EU should still be allowable. However, if we leave the Common Market then serious thought would have to be put in to any organisation sharing UK personal data in the EU.
A for instance would be, if you’ve got data in a datacentre in Ireland. Which believe it or not, Microsoft and Amazon use Ireland for their datacentres for Office 365, Azure and AWS. If the UK did not stay in either the EU or the Common Market, then the data would have to be migrated back to the UK.
I guess most people believe we’re unlikely to leave the Common Market, however if we leave the EU, we’d lose our seat at the table in terms of shaping legislation moving forward – unless we negotiate on that. It’s important to remember there are different levels of Brexit!
That’s as things stand now.
This year, the European General Data Protection Regulation comes into force. Unlike a Directive, the member states don’t need to pass the laws individually. The legislation is probably a good thing for us as it’s targeted to multinationals, cloud operators and the like wanting to do business in the EU. This gives the individuals – you and me – the rights to request certain things of our data, such as getting it back!
The GDPR is still largely being developed, with a 2016 to 2018 phase in. So we’re all still learning about what effects it’ll have.
For the UK, it may also be another win. As data controllers have to register with a Data Protection Officer when doing business in the EU. The UK and Ireland would probably be favoured due to the number of companies headquartered here and the language advantage for US multinationals.
That said, whilst Brexit is being talked about, Ireland would probably be the favourite. This would undoubtedly cause some reduction in revenue for the Information Commissioners office in Wilmslow. However, any fines raised under the new regulation would probably go straight into EU coffers.
Next time I’m going to ponder the EU / Safe Harbour scenario in context of a Brexit…
Here at Unleashed we carry out both practical and strategic IT Consultancy, from a company that is easy to approach boutique-agency style of working. Curious to what that is? Then give us a call!