Don't sweat Brexit, big biz told: Your shiny data protection sticker will remain intact

Survey reveals GDPR training and investment is on the rise

By Rebecca Hill

Posted in Policy, 21st November 2017 13:29 GMT

Multinationals whose data protection compliance was rubberstamped by the UK's privacy regulator have been assured they won't be stripped of the authorisation after Brexit.

Firms that wish to move personal data out of the European Economic Area have to demonstrate that they abide by EU data protection rules.

They can do this by setting binding corporate rules (BCRs) on data protection safeguards and having them approved by an EU data protection authority.

According to the European Commission, the UK's Information Commissioner's Office has approved about a quarter of all BCRs to date, and there was some concern about their continued status after the UK leaves the bloc.

However, deputy commissioner James Dipple-Johnstone has now confirmed that "no BCR authorisation will be cancelled because of Brexit".

He said in a blogpost that the ICO would "continue to work together with other European data protection authorities for international transfers to be achieved".

But, with the incoming General Data Protection Regulation, effective in May 2018, organisations with existing approvals will need to make sure they are compliant with the new rules.

In addition, new applicants have been told to ensure their BCRs align with GDPR. Those already in the system may be contacted to ask them to update their submission.

Dipple-Johnstone also said that the group was working on its backlog "as quickly as we can", adding that the ICO was making changes to improve its service, including bringing on more staff, to ensure the "timeliness of application processing".

Meanwhile, an assessment of privacy governance by the International Association of Privacy Professionals and EY has found increased awareness – and spending – on GDPR as the date draws ever closer.

According to the survey (PDF) of privacy professionals, some 63 per cent of organisations are stumping up for training, compared with 50 per cent last year. They also plan to spend a mean $5m adapting products and services for GDPR.

However, the report said that just 40 per cent of organisations felt they would be fully compliant when GDPR comes into effect on May 25. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Cambridge Analytica seeks data protection assistant

Jobseeker? You may have heard of it...'s Brexiteers warned not to push for divergence on data protection laws

As PM lacks specifics on UK’s desired ‘adequacy-plus’ deal

Uber hack: EU data protection bods launch taskforce

Justice commissioner slams biz for 'irresponsible' behaviour

Big tech wants the ICO on EU data protection board in Brexit fallout

Watchdog keeping voting rights 'huge gain' for marketing sector, say Facebook, Google et al

UK regulator moots data protection sandbox for organisations to play in

ICO strategy outlines plans to slurp up academic expertise

Austrian privacy chief handed leash to EU's data protection beast

Group warms up for greater powers once GDPR hits

Facebook smartmobe app's pre-ticked privacy settings violate German data protection law

Court favours consumer group in long-running dispute told: Scrap immigration exemption from Data Protection Bill or we'll see you in court

Campaigners say proposed law would create a 'discriminatory' system for data access rights

Irish eyes are sighing: Data protection office notes olagoanin'* up 79%

Annual report reveals boost in complaints, breach notifications Snoop laws not 'significant' obstacle to EU data protection talks

Digi minister confident of adequacy decision post-Brexit