The good thing about GDPR was that organisations knew when everything had to be in place to comply. It was 25 May 2018. It was a date that created change for many companies. It was at least a concrete date. And most of all, European countries had agreed the regulation.
GDPR continues today.
The challenge today
The challenge faced by many UK organisations right now is the issue of Brexit and how it impacts on personal data security.
Whilst it is widely understood that the UK is to leave on 29 March 2019 (unless there is an extension or unless stopping Brexit is activated) what happens on the 30 March 2019 will impact on personal data security.
In essence there will be a “A data gap.”
How big is the data gap?
How much of an issue this gap is or how long the gap will be in place remains to be seen. In broad terms, whilst UK organisations will be able to send personal data across to the European Union they may not be able to receive personal information back. But why not? Simply, because the European country sending the data to the UK has to be sure that appropriate security measures are in place to protect it.
Helping get over the data gap
Is this is a big issue for organisations? As usual, with the complexity of the GDPR it depends. It depends on a number of factors. However, let’s take a fairly straightforward example to illustrate the Data Gap. Your company is based in the UK and you are running an event. To help you with this task you have enlisted the services of an event registration company. The registration company is sent details of your delegates that are coming to the event. At that point the registration company do their job as a processor for you. But, because they are based in a European country, let’s say the Netherlands, they do not have to send the processed information back to the UK unless you as the UK company can provide them with certainty of what security measures are in place when it crosses to the UK.
At the moment the solution to the above problem is to have Standard Contract Clauses in place. In our example, this would be between the UK and Dutch companies, These Standard Contract Clauses are being referenced by the Information Commissioners’ Office (ICO) as a way forward. You would need one for each data processor or supplier. Effectively they would need to be in place before the 29 March 2019 to avoid any gap. You may need to provide other documentation about your security processes depending on what the European country requires.
Maybe you can change processors to overcome this problem but maybe it’s not worth it. What’s important is that you understand how you will receive personal data after the 30 March 2019.
In time maybe an ‘Adequacy Agreement’ for Data Protection will come into force. Given bigger discussions are going on right now, it’s hard to know where data security is on the priority list.
The suggestion is not to wait for the ‘politicians’ magic wand but act now and be ready for changes on 30 March 2019. Technical Bulletins issued by the UK Government and updates from the ICO are worth a read to keep up to date.
With the amount of changes that organisations have needed to put in place to comply with GDPR, the Data Gap is really just another challenge. It’s an important one and could easily be missed. However, data security is always going to be with us as an ongoing priority and therefore the organisations that truly embrace it, will end up being trusted which in the long term means they will be in business long after the Data Gap has been jumped over.