Don't sweat Brexit, big biz told: Your shiny data protection sticker will remain intact

Survey reveals GDPR training and investment is on the rise

By Rebecca Hill


Multinationals whose data protection compliance was rubberstamped by the UK's privacy regulator have been assured they won't be stripped of the authorisation after Brexit.

Firms that wish to move personal data out of the European Economic Area have to demonstrate that they abide by EU data protection rules.

They can do this by setting binding corporate rules (BCRs) on data protection safeguards and having them approved by an EU data protection authority.

According to the European Commission, the UK's Information Commissioner's Office has approved about a quarter of all BCRs to date, and there was some concern about their continued status after the UK leaves the bloc.

However, deputy commissioner James Dipple-Johnstone has now confirmed that "no BCR authorisation will be cancelled because of Brexit".

He said in a blogpost that the ICO would "continue to work together with other European data protection authorities for international transfers to be achieved".

But, with the incoming General Data Protection Regulation, effective in May 2018, organisations with existing approvals will need to make sure they are compliant with the new rules.

In addition, new applicants have been told to ensure their BCRs align with GDPR. Those already in the system may be contacted to ask them to update their submission.

Dipple-Johnstone also said that the group was working on its backlog "as quickly as we can", adding that the ICO was making changes to improve its service, including bringing on more staff, to ensure the "timeliness of application processing".

Meanwhile, an assessment of privacy governance by the International Association of Privacy Professionals and EY has found increased awareness – and spending – on GDPR as the date draws ever closer.

According to the survey (PDF) of privacy professionals, some 63 per cent of organisations are stumping up for training, compared with 50 per cent last year. They also plan to spend a mean $5m adapting products and services for GDPR.

However, the report said that just 40 per cent of organisations felt they would be fully compliant when GDPR comes into effect on May 25. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Er, we have 670 staff to feed now: UK's ICO fines 100 firms that failed to pay data protection fee

Enforcing GDPR is expensive work, says watchdog

Campaigners call for immigration exemption in UK's Data Protection Act to be scrapped

Judicial review into law launched

Cambridge Analytica seeks data protection assistant

Jobseeker? You may have heard of it...

Reel talk: You know what's safely offline? Tape. Data protection outfit Veeam inks deal with Quantum

Magnetic strips barrier to ransomware, burble box-flingers

US tech circles wagons as India reviews data protection proposals

Ex-Cisco CEO-chaired lobby leading the charge

IT management software crowd Kaseya buys cloudy data protection crew Spanning

Private equity holdings shuffle

Why, hello Rubrik's Trello: Data protection biz leaves productivity tool open to world+dog

Anyone with URL could see lists of case study projects

Uber hack: EU data protection bods launch taskforce

Justice commissioner slams biz for 'irresponsible' behaviour's Brexiteers warned not to push for divergence on data protection laws

As PM lacks specifics on UK’s desired ‘adequacy-plus’ deal

Big tech wants the ICO on EU data protection board in Brexit fallout

Watchdog keeping voting rights 'huge gain' for marketing sector, say Facebook, Google et al