European rules on data protection will still loom large despite Brexit - Ross McKenzie

Four years on, use of personal information continues to present challenges for business, especially for those with global operations. Countries are racing to put in place their own regimes. The United States, for example, is waking up to privacy laws with continued rumblings of a country-wide law in place of the current state-by-state approaches such as in California.

This means much more homework when using personal information across the world. Typically, businesses take a broad brush approach to compliance, using GDPR as a “gold standard”, but that is challenging with privacy quirks emerging in different territories.

This landscape is further complicated by Brexit, especially for businesses in the UK with pan-European operations.

The UK Government is revisiting data protection laws to look at simplification, with lawyers waiting feverishly to understand what the UK's own approach will look like. It could mean “GDPR-lite” by loosening laws to make the UK a more attractive place to do business in a data-driven economy. Coupled with a new Information Commissioner, we may see a very different attitude from the regulator.

This all sounds exciting, but the harsh reality for business is that any changes are likely to mean more compliance paperwork.

We already see the impact of Brexit on sharing personal data internationally. Many clients need to share personal data across borders to countries without the same level of protection for data as Europe and the UK, such as the US, or India, where many services are outsourced.

When sharing data, European and UK authorities require specific contractual paperwork in place to manage that sharing – called Standard Contractual Clauses. Prior to Brexit, sharing could be covered by one set of clauses. Post-Brexit, you need to address both UK sharing with our own versions of the clauses, together with separate provisions for European transfers. It feels cumbersome.

Also, changes in law require new clauses in place in the next year, together with assessments to check you are sharing data to a country and supplier that can guarantee the data is protected.

Businesses with European and UK operations also need to factor in reporting data security breaches to European and UK regulators for pan-European breaches, rather than simply the UK regulator.

European decision-making affecting big digital players like Google and related adtech such as cookies will also influence what happens in the UK. Businesses with pan-European website operations cannot ignore these decisions and will need to accommodate both UK law and European changes in attitude to what can and can't be tracked online.

This is against a backdrop where the UK must maintain special status with Europe to continue receiving data from there, through an “adequacy” decision. Too much deviation from data protection principles could jeopardise our free pass to share data with our closest neighbours, causing more compliance burdens.

The shadow of European data protection law will loom for much longer in the UK regardless of the outcome of the UK Government consultation. Our regime is too intertwined to ignore it given our shared history, especially for those juggling multiple laws.

Ross McKenzie is a Partner, Addleshaw Goddard