Mark Burnett, CEO of data protection organisation Hope and May, writes what small and local charities might need to do to make sure they are compliant with GDPR rules in the event of a No-Deal Brexit. Read his blog below
20 September 2019
Just when you thought you had done all you needed to do about data protection, you should brace yourself as there are further changes just around the corner.
In the event of a No-Deal-Brexit, the Government has prepared new legislation which it has called the Data Protection, Privacy and Electronic Communications Regulation 2019. Yes, we are going to have our own version of the existing EU GDPR to ensure we can continue to process data separately from our Continental neighbours after we leave.
The processing of data of UK citizens will be largely unaffected. As a small charity, you may need to make some technical amendments to your current policies and, of course, the mandatory requirement to ensure that UK-based data subjects are aware of such change. However, there are far reaching consequences if you process the data of any European citizens.
The main issue that many organisations may not have considered is something called Adequacy. The EU Commission awards an Adequacy Decision to countries that are considered a safe haven for personal data, places that are considered to have a high standard of human rights, maintain political stability and have appointed supervisory authorities to regulate data processing and uphold high standards of privacy.
The UK, currently benefits from an Adequacy Decision, as do all other EU states as well as Switzerland, Canada and Japan amongst a few others. This important stamp of approval ensures the free flow of data in a similar way to the free flow of people. It fuels trade and relinquishes organisations from the burden of red tape and the cost of implementing legally binding alternatives.
If we leave the EU without a deal, we will automatically lose our Adequacy as a non-EU country. We’ll apply to get it back, of course, but these negotiations can only begin after we have left. This means that for the foreseeable future we will become a Third Country for data protection purposes and not considered adequate for processing non-UK citizen’s data.
The remedy will be a range of interim Safeguards designed to protect non-UK citizens and their data. These include things called Model Clauses and Data Sharing Agreements. The paradox is that although the UK has stated that all EU countries will be recognised on the 1st November as Adequate from its viewpoint, the EU have not reciprocated. In simple terms this means that you could send data from the UK to an EU state country such as France, but they would be breaking the law if they returned it to you.
Although the UK currently enjoys Adequacy, it doesn’t automatically mean we will regain our status and certainly not in the near future. There are hoops to jump through which is why it took Japan almost ten years to achieve theirs.
One problem concerns our surveillance laws. We have laws to enable our Government to snoop on us whenever it has a perceived need. So does the U.S. but Europe however doesn’t and has long criticised such intrusive measures. It is anticipated that the EU will pressure the UK Government to change such laws amongst other requirements, in return for an Adequacy Decision. We will watch with interest as this develops over time.
For a small charity, there are a few recommendations.
Regardless of Brexit, a recent survey by IT Governance revealed some startling facts about UK organisations and their compliance with Data Protection law. It reported that 79% of organisations are not compliant and fall short of their obligations. Unfortunately, smaller charities with less resource are more likely to fall into this category. It seems this isn’t about an unwillingness to comply, but more about a lack of awareness.
The research seems to suggest that in contrast to the high number of non-complaint organisations, only 25% of those questioned said they felt their knowledge of the GDPR could be improved. This reveals a stark truth that most organisations are seemingly unaware of their legal responsibilities and remain vulnerable to enforcement action and reputational damage.
Although most organisations wrote a policy or two last year, they haven’t fully implemented those policies into everyday business life. The Information Commissioner has been loud and clear about this in recent times. She said that there is little or no evidence that organisations are Accountable for their processing of personal data, even though this is a mandatory requirement of the GDPR Article 5(2). Therefore, it is clear that there is still much work to be done and that compliance is a journey and certainly not a destination.
