Privacy in a Post-GDPR Britain: What’s Your Brexit Plan?
Deal or no deal – Britain is heading for a Brexit. And, while some Britons stockpile everything from pasta to clothing to cat food, British companies are bracing themselves for a digital void of uncertainty. But with the right proactive cybersecurity measures in-place and a little planning, there is no reason for a UK business to be lost at cyber-sea!
Here are some points to consider when constructing your Brexit plan:
The General Data Protection Regulation (GDPR) is not a law
As its name suggests, the GDPR is not a law – but a regulation. While the GDPR does apply to all member states of the European Economic Area of the European Union, each country is free to interpret the regulation as they see fit. In Denmark, for example, a stricter interpretation of the GDPR has led to mandatory encryption laws being applied to Danish data. As a rule: Be sure to read up on the local GDPR-inspired laws for any EU regions you operate in.
Third-country – not third-class
Since they all fall under the GDPR, and must theoretically comply with the privacy regulation, organizations operating out of member states of the EEA are free to exchange information across EU borders. But, while so-called ‘Third-Countries,’ referring to nations outside EEA borders, are not likewise given a free pass, they can exchange data once they are vetted as having adequate data protection laws and practices.
The UK just might be OK
By the time the Brexit break is made official, Britain will have been under the GDPR for nearly a year. Among other things, this means their Data Protection Act 2018, if left intact, should theoretically comply to GDPR demands. But special attention must be paid to mirror any subsequent changes to the GDPR – like if Denmark’s mandatory encryption laws were to be adopted by other EU nations, for example.
The GDPR is out of UK control
A post-Britain Brexit no longer has a seat at the EU negotiating table – including for any matters related to the GDPR. This means that, if your British organization is going to do business on the Continent, preparing for unanticipated decisions might be your best course of action. Having proactive data protection features, like end-to-end encryption, for example, can help you navigate any sudden changes.
You can’t hide from the GDPR
Even after Brexit, countless citizens of EU nations are going to continue working in Britain. In addition to covering nations within the EEA, the GDPR also covers the citizens of those nations – regardless of where they reside. If a Belgian national living in London, for example, provides personal information to your British organization, their data is protected by the GDPR.
It’s not just about you
If you intend to navigate the GDPR and continue doing business within the EEA from Britain, you need to consider who you are working with in the UK. Under GDPR regulations, any third-parties working alongside your organization, who might be handling EU personal data, must also be compliant. Before establishing or continuing a third-party relationship post-Brexit, look for cybersecurity audit certifications – here’s why they are important.
Your Post-Brexit Plan:
While the UK continues to battle, outline and hash out its Brexit plan, there are ways your organization can help weather the storm. In addition to adopting proactive data protection policies, like encryption, your organization should consider having a backup plan. Echoworx, for example, has data centres in Ireland and Germany, which allows our clients to securely send GDPR-compliant messages within the EEA.
By Nicholas Sawarna, Sr. Content Marketing Specialist, Echoworx