Don't sweat Brexit, big biz told: Your shiny data protection sticker will remain intact

Survey reveals GDPR training and investment is on the rise

By Rebecca Hill

Posted in Policy, 21st November 2017 13:29 GMT

Multinationals whose data protection compliance was rubberstamped by the UK's privacy regulator have been assured they won't be stripped of the authorisation after Brexit.

Firms that wish to move personal data out of the European Economic Area have to demonstrate that they abide by EU data protection rules.

They can do this by setting binding corporate rules (BCRs) on data protection safeguards and having them approved by an EU data protection authority.

According to the European Commission, the UK's Information Commissioner's Office has approved about a quarter of all BCRs to date, and there was some concern about their continued status after the UK leaves the bloc.

However, deputy commissioner James Dipple-Johnstone has now confirmed that "no BCR authorisation will be cancelled because of Brexit".

He said in a blogpost that the ICO would "continue to work together with other European data protection authorities for international transfers to be achieved".

But, with the incoming General Data Protection Regulation, effective in May 2018, organisations with existing approvals will need to make sure they are compliant with the new rules.

In addition, new applicants have been told to ensure their BCRs align with GDPR. Those already in the system may be contacted to ask them to update their submission.

Dipple-Johnstone also said that the group was working on its backlog "as quickly as we can", adding that the ICO was making changes to improve its service, including bringing on more staff, to ensure the "timeliness of application processing".

Meanwhile, an assessment of privacy governance by the International Association of Privacy Professionals and EY has found increased awareness – and spending – on GDPR as the date draws ever closer.

According to the survey (PDF) of privacy professionals, some 63 per cent of organisations are stumping up for training, compared with 50 per cent last year. They also plan to spend a mean $5m adapting products and services for GDPR.

However, the report said that just 40 per cent of organisations felt they would be fully compliant when GDPR comes into effect on May 25. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register's Brexiteers warned not to push for divergence on data protection laws

As PM lacks specifics on UK’s desired ‘adequacy-plus’ deal

Uber hack: EU data protection bods launch taskforce

Justice commissioner slams biz for 'irresponsible' behaviour

Big tech wants the ICO on EU data protection board in Brexit fallout

Watchdog keeping voting rights 'huge gain' for marketing sector, say Facebook, Google et al

Austrian privacy chief handed leash to EU's data protection beast

Group warms up for greater powers once GDPR hits Snoop laws not 'significant' obstacle to EU data protection talks

Digi minister confident of adequacy decision post-Brexit

Dell EMC patches 3 zero-days in Data Protection Suite

Could combine to 'fully compromise' virtual appliance, researchers warn

Facebook smartmobe app's pre-ticked privacy settings violate German data protection law

Court favours consumer group in long-running dispute

EU's data protection bods join the party to investigate Uber breach told to sever ties with 'grubby, unethical' company

UK Data Protection Bill tweaked to protect security researchers

Re-identification of data will not be a crime, as long as you warn the authorities

Coming soon to a Parliament near you – UK's Data Protection Bill

First reading to be squeezed into short September term