Personal data has become the new commodity in our digital economy. In the past, companies have gathered huge amounts of personal data about people, in an attempt to influence their buying decisions on certain brands and products. We have seen from recent scandals, such as that of Facebook and Cambridge Analytica, that our personal data can be manipulated to influence people’s opinions on world events through to their voting decisions. There seems to be no end to the level people will go to in order to push an agenda. This only increases the value of personal data to those threat actors who are desperate to get hold of it at any cost.
‘Personal data is the new commodity of the digital economy’
GDPR has now become law and with it, comes more stringent requirements for companies to adhere to, in order to protect personal data of EU citizens. However, in parallel, with Brexit scheduled to go into effect in March 2019, there is some uncertainty within the business community about whether or not the UK’s own privacy law will give EU citizens the same level of protection they currently enjoy under GDPR.
Up until the time when Brexit comes into effect, the UK is still part of the EU. Therefore, when businesses are transferring personal data across borders, they currently have the GDPR as protection. But, what happens after the UK leave? How is that data going to be protected? There appears to be no clear strategy for the protection of data on the Brexit Agreement during or after the two-year transition period.
What does this mean for businesses who rely on the flow of personal information with the EU and UK? EU companies now have a new standard and have gone through a rigorous change in their policies and procedures to make sure they are compliant. Now they will be faced with a new set of problems and headaches to resolve before customers lose faith and move their business elsewhere.
As you can imagine the EU is not happy with the UK’s decision to leave the EU and as such, the EU Commission published a Notice to Stakeholders, confirming the UK will be post-Brexit classified as a third country. What does this mean for companies who deal with them and transfer personal data? Well, it means, unless the UK-based company has very strict conditions and contracts in place regarding the protection of personal data and specifically the transfer of that data cross-border; similar to the US-EU Privacy Shield already in place for US transfers to the EU; then UK companies could potentially lose out. This has many repercussions for UK businesses long-term.
With the UK introducing the new Data Protection Bill, it is attempting to align their legislation with that of the EU’s GDPR. So, when Brexit does become a reality, there are robust measures in place for the protection of personal data.
However, until Brexit does come into effect, we will not know for certain what measures will be in place. Until then, the UK remains in the EU and its data protection laws are aligned to GDPR. What we would suggest, is to understand how your company may be impacted by Brexit and start making preparations for the challenges that lie ahead.