As "deal or no deal" talks continue and UK companies prepare for Brexit, data protection is a crucial issue that is not getting the attention it deserves. British firms have spent a significant time preparing for the General Data Protection Regulation (GDPR) as EU members. However, due to Brexit they may have to significantly re-think their approach and get ready to comply with GDPR from outside Europe - a very different scenario. Companies that fail to understand the full impact of Brexit on UK data protection could face serious consequences.
As March 2019, and the prospect of some kind of Brexit, grows close, British companies have to consider a whole new way of thinking about GDPR. A no-deal Brexit may be unlikely - but it is a possibility - and UK firms need to be prepared for whatever form Brexit might take. In the worst-case scenario, the EU would no longer automatically confirm the UK as meeting adequate standards for data protection -- and the UK would fall to "third country" status. Data could not flow from the EU to the UK unless British companies established legal safeguards, such as Standard Contractual Clauses, to remain compliant on data security. If that happened, companies would need to revisit their previous GDPR preparations again. Data flows would have to be re-examined to identify personal data transfers from the EU, and new mechanisms put in place to legitimise these cross-border transfers.
This would be a major problem for British firms that transfer personal data between the UK and the continent. But it could also impact all organisations with electronic records. It is obvious that a retail bank or financial manager holds customers' personal data, but an asset management firm whose customers are other institutions may not think that it does - an assumption that might prove to be wrong and risky. Data privacy audits show that company information on HR matters, compensation, contractor relationships, due diligence and so on, can create surprising exposure to GDPR liability.
GDPR is emerging as the new global standard. In an example of the "Brussels effect," non-EU companies around the world have begun choosing to implement GDPR even though they are not required to. While GDPR compliance will be essential for UK companies doing business in Europe, it may well become requisite in business dealings far beyond Europe - making it that much more important to revisit GDPR programs early and be prepared in the case of a no-deal Brexit.
Reviewing your GDPR plan in preparation for Brexit reduces and helps quantify risk, and provides numerous benefits: You avoid the potential for fines that can be immense. You demonstrate to customers and partners that their data are secure in your company's hands. You are prepared to effectively manage data breaches - which will occur. Perhaps most importantly, you protect your corporate image by avoiding the wrong kind of headlines - a critical factor in a world where poorly handled data breaches tarnish reputations and destroy trust.
We are experiencing a seismic shift in how people expect their personal data to be used and protected. Preparing for this change will better position your company for the future. No matter what the outcome of Brexit, changes in Britain's relationship with Europe are coming. Companies that are proactive on data protection will garner significant business advantage - and avoid untold risk.
Alex Scheinman is director at ACA Compliance