Given the possibility of a no-deal Brexit, organisations need to have data protection contingencies in place, especially as the clock ticks down to the UK’s date for leaving the European Union on March 29. So the data protection regulator the ICO told a recent conference on ‘GDPR in practice’.
Jonathan Bamford, director of strategic policy (domestic) at the Information Commissioner’s Office, was the opening and concluding speaker at a Westminster eForum seminar in central London. He said that his warning was not just for those that receive data from and send data to other EU countries; have customers in the rest of the EU, or have subsidiaries there. A no-deal Brexit will affect you if you use cloud services that are set up in the EU, and have data flows. He said that the ICO has a website page on Brexit, and advised his audience to look at it at once.
Speaking more generally Bamford, pictured, said that while the data protection landscape had changed greatly in the last year – the ICO has seen big rises in inquiries and complaints since the EU-wide General Data Protection Regulation came into force in May 2018, through the Data Protection At 2018, which will remain in force regardless of the UK leaving the EU – what the ICO is still receiving from the public is inquiries and complaints about ‘basics’, such as subject access requests, and complaints about intrusive telephone marketing. He described data protection and privacy as in all our interests, whether organisations or individuals.
The audience – a mix of compliance, IT, legal and cyber backgrounds – also heard from charity, legal, media and healthcare experiences of GDPR compliance. They heard a suggestion that over-cautious legal advice before the GDPR came into force may have led businesses to ask their email database unnecessarily to opt in to keep receiving mail, only to see that database decimated.
More in the March 2019 print issue of Professional Security magazine.
See also Information Commissioner Elizabeth Denham’s latest blog on the myths for UK small and medium sized businesses transferring personal data to and from the EEA (European Economic Area). And from law firm Mishcon de Reya, Jon Baines’ reflections on data protection issues (‘never been more pressing or more prominent’).
Meanwhile the ICO, looking to keep an international role after Brexit, has made Peter Hustinx, who was the first European Data Protection Supervisor, a non-executive director.