What Does Brexit Mean for GDPR (and should you be concerned?)

With the Brexit transition period set to end in January 2021, businesses have much to think about if they are to maintain business continuity

In many cases there is some ambiguity as to how businesses will need to pivot various functions in the coming months. Fortunately, amid this complexity, GDPR is one of the more clear cut cases. Simply put, EU GDPR will no longer apply directly to UK businesses after the transition period.

Despite this, UK organisations will still need to comply with EU GDPR requirements beyond 2020. This is because the 2018 Data Protection Act – an act of parliament governing data handling in the UK – has made the EU GDPR’s requirements into law. In effect, this means we have a ‘UK GDPR’ that resembles EU GDPR in all but name. That being said, this does not mean that organisations can now ignore how they handle data following Brexit. Though UK GDPR legislation is a good guide for the immediate future, there are considerations to be made that extend far beyond January 2021.

A time for reflection

Organisations already in compliance with GDPR are unlikely to need to change much to stay within legal practice for the present. But Brexit provides a good opportunity for companies to review how they handle data on a wider scale. One area to focus on in particular is transfers of personal data given that the various mechanisms approved for use in the EU will no longer automatically apply in the UK. If you’re moving personal data between the UK, EU and other countries, there are still questions that the UK is working out, and the best place to get official instructions is the ICO website.

The issues surrounding GDPR post-Brexit highlight that it is fruitless to view GDPR purely on a localised basis. Instead, organisations should be looking to ensure their data compliance is to the highest possible standard. As such, when local legislation changes, businesses will not have to implement drastic reforms to stay in legal compliance. Moreover, it guarantees that their customers’ data is being protected to the best possible standard.

Is it time to raise the bar?

But what standard can consumers expect and what should businesses strive for? As technologies for securing data become more sophisticated, so do those for gaining unauthorized access to such data. While this may make some of the practices of today obsolete, the only way to ensure that your organisation does not fall behind the curve is to stay at the cutting edge. By constantly holding your organisation to the highest, present standard, you will be minimising any future outlay that may be needed.

Given that it is unlikely for any universal standard in ‘global compliance’ to emerge, the responsibility falls predominantly on the individual companies. Fundamental differences in various countries and cultures simply make the gap too great to bridge in the near future. In the meantime, companies can take the pragmatic approach of choosing a data protection regime that is sufficiently strict to likely satisfy the requirements of most of their target markets and to build products and services that enable customers to make use of the liberties and opportunities granted to them and, at the same time, to remain compliant with the laws they are subject to.

In conclusion, the consequences of Brexit on GDPR are two-fold. In the short term, there is little cause for concern among organisations. The current practices in place among UK organisations – assuming they are in compliance with current laws – means there is no reason to believe that they would suddenly have to overhaul in January 2021. At the same time, however, Brexit also illustrates the point that standards for data privacy and protection are not set in stone. What may be seen as acceptable today has no guarantee of being fine

in even just a few years. As such, it only makes sense that data protection and privacy be treated as a continuous process that is constantly under evaluation rather than a ‘one and done’ affair. In doing so, organisations are setting themselves up for a future free of concern for GDPR.


About the Author

Martin Ojala is Data Protection Officer at Pipedrive. Inspired by proven methods of experienced sales people, Pipedrive engineers developed a platform that helps salespeople and teams focus on learning and repeating their most effective process to close deals. By bringing together the tools and data, the platform focuses sales professionals on fundamentals to advance deals through their pipelines.

Featured image: ©bluedesign

Copy link