October 13, 2016 - Blog

GDPR – The UK Brexit Context

Blog post by Stephen Sherry, Principal Consultant, Data Management, Version 1  

In the previous blog posts on new EU General Data Protection Regulation (GDPR) legislation we provided an overview of the key changes and obligations to be imposed by the legislation and the architectural implications and considerations required to implement it with the relevant timescales. In this blog, we will look at the potential implications for enterprise and solution architects of the recent UK Brexit vote and its potential impact on adoption or conformance to the GDPR legislation.

 

The General Data Protection Regulation (GDPR) – a Brief Overview

A more detailed overview of GDRP and its architectural implications but a summary is provided below.

The two-year countdown to the new EU GDPR legislation has already begun and all affected organisations will need to be fully compliant with the rules by 25 May 2018. All organisations which capture, store and manage data about European Union citizens need to conform to and abide by a range of data protection regulations and governance procedures and evidence to a required level of traceability that this compliance has been achieved.

The new legislation is significantly different to previous data protection legislation in this area and is much more diverse in terms of scope and coverage and comes with Extraterritorial effect: Under the GDPR even companies outside the EU will be affected. Entities located outside the EU that offer goods or services to residents in the EU or that monitor EU residents’ behaviour (as far as that behaviour takes place within the EU) will be subject to the regulation. Relevant systems are required to be suitably amended and adjusted by May 25th 2018 and this has a direct impact and relevance to the timings and scope of the data architecture and related solutions in future technology roadmaps.

 

The UK - Brexit Context

The recent Brexit vote on 23rd June has caused considerable uncertainty in the UK and other member EU states as to whether the data protection measures included in GDPR will be fully ratified and imposed by UK organisations following exit from EU regulation. This has given many UK organisations doubt as to whether supporting and implementing the measures of GDPR are worthwhile. Regardless of the outcome and timing of Brexit negotiations it is highly likely that UK organisations will have EU citizens as customers, employees and suppliers for many years to come and so will need to treat this data in accordance with GDPR regulation in order to operate in such markets

There also questions regarding cloud application service provision and storage technology directions as many such data centres are in EU locations and may in future operate according to different legislative criteria to UK regulations. In contrast some cloud providers such as Oracle only have UK data centres currently as part of their European operations. This uncertainty in terms of future directions has deterred some organisations from considering such services until the outcomes of Brexit negotiations are known.

The UK’s Information Commissioner’s Office (ICO) already gives effect to many of the GDPR’s requirements.  GDPR will be in force from May 25th 2018 – well in advance of Brexit. The UK’s ICO, courts, businesses and organisations will already have in place the necessary protocols and infrastructure to ensure GDPR compliance. So, while the UK, technically may be free to walk away from GDPR, the question arises – “why would they do so when GDPR will substantially be in place and when it is in the UK’s interest – its citizens and business.

GDPR, and now Brexit undoubtedly creates a need for flexibility and adaptability in relevant cloud architectures, future state architectures and resultant technology roadmaps.

So, all in all, lots of work to be done. The clock is still ticking…