GDPR, Brexit and What the Future Holds for Data Privacy

It’s now been a year since the introduction of the EU’s General Data Protection Regulation, or GDPR for short, a defining law on data protection and privacy for individuals within the European Union, and the sharing of personal data outside of the EU. Yet, not long before these ground-breaking regulations came into effect the British public voted to leave the EU, and Brexit was triggered, the data implications for which are still being negotiated by government officials.

The perfect storm

Whilst the impact on data compliance and security practices of GDPR has been enormous, perhaps the biggest effect has been consumers’ increased awareness of how, why and when their data is being accessed and the resulting scrutiny of how businesses and public bodies are caring for it. This combined with the political uncertainty of Brexit, has made for a perfect storm where the consequences of misuse of data have become effectively unlimited, posing an almost existential risk to business.

For this reason, there’s a desperate need for businesses to re-examine current methods of storing and securing enterprise data, as the underlying systems and processes are no longer fit for purpose. Many were created in an age when data was created in smaller quantities from a limited number of sources, as well as used and shared differently. These technologies were not designed for today’s omni-channel, digital economy, and nor were they designed to accommodate data sharing demands for the requirements of regulations like GDPR, or Brexit, if and when it finally occurs.

Preparing for Brexit

The Data Protection Brexit Regulations, if passed by Parliament, will make changes to the GDPR and the Data Protection Act 2018 (DPA 2018) so that the law continues to function effectively after the UK has left the EU. The GDPR as it applies to the UK will, after exit day, be referred to as the UK GDPR and will apply in the same way to processing by controllers and processors who are established outside the UK.

Under the GDPR, controllers and processors may not transfer personal data to countries outside the EEA unless certain safeguards are in place, for example where the European Commission has established that the legal framework of the country in question provides an ‘adequate’ level of protection for personal data. When the UK leaves the EU, the UK GDPR will transfer the European Commission’s power to make an adequacy decision to the Secretary of State. Through ‘adequacy regulations’, the Secretary of State will be able to specify whether a third country, territory, sector or international organisation ensures an adequate level of protection of personal data. In the absence of an adequacy decision, the transfer of personal data to countries outside the EEA can still occur by using alternative safeguards.

The provision in the GDPR to adopt a representative in certain circumstances is also retained. This means that a controller or processor outside of the UK will (in certain circumstances) have to designate a representative in the UK for the purposes of ensuring compliance with the UK GDPR.

New technologies to overcome new regulatory demands

It is clear that to meet these dynamic and increasing regulatory data use demands, there is a desperate need for businesses to re-examine current methods of storing, sharing and securing sensitive data. Businesses will need to be able to show they have controls in place for personal data sharing and storage that meet these regulatory requirements if they are to survive.

One technology that meets these demands is Distributed Ledger Technology (DLT). Gospel Technology’s DLT based platform allows for data to be shared on a view only basis, where access can be controlled at a granular level based on a set of predetermined criteria, but not exchanged across borders. Gospel Technology’s unique, patent-pending Consensus-on-Read ensures that it is mathematically impossible to access data without authority. At the same time the platform maintains an immutable, auditable record of all changes and accesses, which can be used to prove regulatory compliance.

Not only can the Gospel Technology Solution be used to meet the Data protection Brexit regulations but it also meets GDPR requirements, through its ability to give ownership back to the data owner including the ‘right to be forgotten’, which can be achieved whena component of the encryption key is deleted making this data unreadable and unrecoverable. This is done whilst maintaining high levels of interoperability and flexibility within current systems and APIs, allowing organisations to easily integrate and future-proof their architecture. Effectively, this allows enterprises to comply with regulatory demands and collaborate safely and securely, without jeopardising the consumer’s all-important right to privacy.

What’s next?

The Data Protection Brexit Regulations will continue to be reviewed In its latest report, the House of Lords’ EU Committee states that the European Commission will start the process of assessing the UK’s data protection regime as soon as possible after the withdrawal date, with a view to adopting an ‘adequacy decision’ by the end of the transition period on 31 December 2020, to allow data flows to proceed without interruption.Until then we wait with bated breath, but no matter the outcome it is imperative that organisations worldwide prioritise the ethical use, protection and security of their customers’ data in this new digital economy. To see how Gospel Technology can help your organisation not only protect data internally but also securely share trusted data with full auditability and accountability externally, contact us today at [email protected].