This article discusses the consequences which result from the UK’s possible withdrawal from GDPR.
GDPR is the European Union’s General Data Protection Regulation, which came into force in 2018. It contains rules regarding the processing and collection of personal data for any country within the European Economic Area (EEA).
In simple terms, it means that you have control of your data and how it is used. The UK played a big role in developing the legislation, and GDPR is used as a model for many other countries’ data protection legislation.
As the UK still retains GDPR legislation, you can be confident that you have the right to know that any of your personal data that an organisation holds is accurate and only used for the purpose for which it is intended. A citizen can also request to see any personal data relating to themselves using a Subject Access Request. Organisations that hold your data have an obligation to protect your personal details. They also have to delete your data, when they have finished using it for whatever you agreed they could do with it. So even conspiracy theorists worried about the ‘deep state’ should like this, right?
Unfortunately, the more extreme players in the Brexit culture war are intent on removing every trace of the European Union from the UK via the upcoming Retained EU Law Bill (known as the “Brexit Freedoms Bill”). According to a government press release, “The Bill will make it easier to amend or remove outdated ‘retained EU law’ – legacy EU law kept on the statute book after Brexit as a bridging measure”. The claim is that easing regulations will make it easy for businesses to thrive, cutting back unnecessary bureaucracy.
A government consultation is taking place, and some frightening suggestions have been made regarding the replacement of GDPR in the UK.
The response by the UK government to a consultation on the future of data sharing is entitled “Data: a new direction – government response to consultation”
One aspect of the “new direction” includes “reforms to reduce disproportionate impacts of subject access requests on organisations”. How can this be anything other than reducing the responsibilities of organisations to respond to requests? That last company you worked for may have an extremely unfair summary of your time there, which may filter through to any references requested in future. Tough luck, you’ll never know. You’ll just keep failing job interviews.
Another sneaky change relates to the way that many organisations use computer algorithms to make decisions based on your personal data. A good example could be the way that insurance companies used to red line residential areas, where those premiums would be increased. According to the ICO web site, GDPR mandates that companies must “introduce simple ways for [citizens] to request human intervention or challenge a decision”. This is vital in an era where so many decisions are being made via machine learning AI systems. The government wants to remove this.
An example of where retaining this ability to challenge would be useful? Well, remember the A level exam fiasco, where A level results were messed up for the first time in seventy years? That’s right – a faulty algorithm made sure that this university year is packed to the rafters with public school alumni. Were it not for the ability to challenge these algorithms, Jacob Rees-Mogg would be calmly telling those angry about the results that they’re just less intelligent than their betters.
The world is moving towards regulatory alignment. Here’s a hypothetical example to make the point:
If country A has the same regulations on, say, widgets as country B, and the necessary widget standards regimes are in place in both countries, then exporting widgets from country A to country B would necessitate fewer checks. Border checks would simply require the necessary paperwork to show that a crate contained some widgets, rather than enforcing standards by opening the crates and checking the quality of each widget. This is a simplification, but it conveys the way that sharing regulations reduces friction when exporting to another country.
Removing the widget standards in country A would make it easy for two businesses, both of which are in country A, to sell goods to each other, but it would impede exports from country A to country B, as those crates would now have to be opened, and random shipments of widgets inspected to make sure that they’re sufficiently widgety. Global trade is eased by sharing similar standards.
GDPR works the same way. A quick glance at the EU Commission website shows the number of countries that have equivalent legislation to GDPR.
Three options – a Hobson’s choice?
The UK’s tech industry, in particular artificial intelligence, relies on users being willing to share large amounts of personal data with British companies. We’re not going to stop providing services to a huge continent on the other side of the channel anytime soon. So how would removing GDPR affect UK businesses that currently access EU citizens’ data?
That depends on what form the change takes. There’s more than one way of replacing GDPR. There are three basic options.
The least harmful option would be that GDPR is craftily reworded and renamed so it doesn’t cause much of a fuss. It ends up so similar to the current GDPR, in effect, that the EU grants a positive adequacy decision, and companies can operate as they do now. Some of the extreme Eurosceptics will like the fact that the ‘made in the EU’ label is removed from a British law. Others may be more hardline. You can’t please all of the people all of the time.
The second option could involve dropping certain EU controls relating to data sharing, but not introducing anything that explicitly contradicts GDPR. Effectively, that leaves individual companies to decide to put in place contractual and technical controls to be able to handle personal data.
If you’re based in the UK, and so are all of your business customers, and those customers only handle data of UK citizens, then you don’t have a problem. You don’t have to even implement any related GDPR controls for that processing. Cost and bureaucracy removed.
However, if some of your UK customers start working with EU personal data, and you’re involved in processing that data, then those customers will drop you like a brick if you haven’t implemented GDPR compliance.
You see, GDPR controls extend to third parties. To be GDPR compliant, then all of the suppliers that access that data have to follow the rules as well.
What would that mean to your company? Well, you would have to follow GDPR rules if you want to keep the aforementioned customer. You’ll also have to add specific contractual clauses, as mandated by the EU, to your contract with that customer. More money for lawyers, and we all know how long they take to sort out contracts, let alone the latency involved in getting your customers to re-sign with the new clauses.
You’ll also be asked to provide a higher level of due diligence. This is where the real cost comes in. You would already have to show how your company implements security, and how it allows users to exercise their rights over personal data, such as the right to have that data removed. But in this case, you’re also going to be asked for higher levels of certification.
The most common type of certification is to have a SOC 2 Type 2 report produced. SOC stands for System and Organization Controls, and is an assessment against the American Institute of Certified Public Accountants’s Trust Services Criteria. In this instance, it would cover Confidentiality, Security and Privacy. Although this is a US based standard, it has now become accepted within the IT industry across Europe, as well as many other parts of the world. It doesn’t map entirely onto GDPR, but it would likely be asked for during any due diligence process if you’re a non-GDPR country.
What is a SOC 2 Type 2 report? To myself, a security professional, it is a report showing not only that security controls are implemented, but they are also demonstrated to be running adequately. To you, a UK business already experiencing more Brexit red tape, it’s anything up to £55,000 if you’re having the audit done for the first time (that’s just the auditor fees, not counting your staff gathering evidence for the audit and putting security controls in place). And you have the auditors in to review it every year going forward, so you’ll keep paying forever.
Well, that’s annoying, but the proposed changes will make things easier for dealing with non-EU countries, won’t it? Well, not if those countries are on the EU adequacy list mentioned previously. And as previously mentioned, that list is growing.
Also, don’t forget that most global organisations are sub-divided into regions, and the one that the UK falls into is almost always called EMEA in any big organisation. EMEA stands for Europe, Middle East and Africa. Those regions are not going to pay for an HR system covering every other country in the region, but then also go to the extra expense of buying a separate one for the UK. So dealing with a branch of a global bank that is situated in an African or Middle Eastern country may very well require your company to follow GDPR. Because it’s easier for that business customer to apply rules across an entire region.
There are so many circumstances where your company is going to have to follow EU rules on data sharing, even when dealing with UK companies. So you’re still going to be compliant, and implement the same controls, and do the same internal reviews to ensure the correct controls are in place. Only you’re going to have to pay extra for lawyers to redraft contracts, and big money for extra audits to keep those customers happy.
Check out how SOX (Sarbanes-Oxley, US legislation) requires banks around the world to ensure that they are SOX compliant. It’s the same with GDPR.
No benefits at all. You still follow GDPR. More cost every year.
The nuclear option?
What’s the third option? Well, this would be the pressing of the nuclear button by the most hardened members of the Brexit-worshipping European Research Group in the Tory party:
Replacing GDPR with legislation that directly contradicts EU rules for data handling.
And the passage of such legislation through parliament gives the UK security services a window to put pressure on the government to allow monitoring of more of every citizen’s personal data.
There was an agreement between the US and the EU called Safe Harbour, where US companies could handle EU data as long as the correct contractual clauses and controls were in place. However, this is no longer in effect, due to government data monitoring initiatives within the US, such as the PRISM programme. The result was that sharing of EU personal data was stopped. Biden is currently making efforts to repair this, as US companies have been losing opportunities to do business.
This is the worst case. If the UK decides to allow this type of monitoring, then EU citizen data could no longer be shared to UK based companies.
So how would your organisation be able to handle EU data in this third option? This would be stricter than simply asking your cloud provider to host this data in their EU data centre. You may have to move your staff and premises out of the UK to a GDPR compliant country. As we don’t have freedom of movement any more, a possible conclusion would be that companies would have to lose UK staff and hire people abroad. Where they’d have to follow GDPR.
Imagine having to sack your UK staff because you’re doing business with Japan (who are on the EU adequacy list).
As with any culture war, the truth is that there is no simple answer, regardless of how many politicians need soundbites to further their agendas. We’re at the stage where an intent to change much of the structure of UK regulations has been announced in the “Brexit Freedoms Bill”. The next stage is for the Brexit supporters to rubbish any analysis of those changes which sounds less than positive.
It’s understandable that the UK government wants to get rid of EU regulations. Not much else in Brexitland has shown the promised advantages, so this is the last roll of the dice.
Could it be more harmful to our economy than leaving the Single Market and the Customs Union? UK companies are left with having no certainty about what will replace current EU regulations, so they have to waste resources on second guessing the government.
For no benefit.
And for more cost.
And they’ll still have to follow GDPR.
