In 2018, one issue has dominated the compliance agenda for most businesses and their marketers, and that’s data protection. During the year, including the introduction of the GDPR legislation on 25 May, the DMA, the UK trade association for the one-to-one marketing industry, has been working hard to provide advice, best practice, insight and training for brands and agencies alike.
On 29 October, the Chancellor delivered his last Budget before the UK is due to exit the European Union at the end of March 2019, and so now seems like the right time to share a Q&A blog, where I put some questions to Chris Combemale, Group CEO at the DMA. I asked him about whether Brexit will affect the current data regulatory framework.
JK: What does the event of a no-deal Brexit mean in terms of British citizen’s data rights?
CC: “No matter what Brexit deal is or isn’t struck, the UK Government has committed to having a robust data protection framework in the UK that balances privacy and innovation. The Government has already implemented the Data Protection Act 2018, which should create adequacy with the EU based on the essential framework of GDPR. In the event of a no-deal, the Data Protection Act will remain part of UK law.
“The challenges of a no-deal Brexit would be much more complicated for British businesses, however, as the disruption to the free flow of data between the UK and EU would be very damaging. This could have further knock-on effects on the UK public, with the possibility of jobs moving to the EU and investment also decreasing. That’s why the DMA has been extremely active in advocating for Adequacy Plus, which would not only enable the free flow of data but would also agree a full voting place on the European Data Protection Board (EDPB) for the UK’s Information Commissioner’s Office (ICO). The UK ICO brings a risk-based philosophy to the deliberations of the EDPB, provides a more balanced view between innovation and privacy than some continental counterparts, in keeping with general UK attitudes and approaches to enterprise. At the very least, the UK must secure adequacy status so the data economy is not disrupted.
“For example, a UK-based company that has EU customers may use an EU-based data centre, but the information is processed at the UK HQ. If the UK leaves the EU without a data deal this company would lose access to its own data, as transfers from the EU to UK would be prohibited. The company would need to find a new supplier or may move operations to the EU, so it can efficiently serve EU-based customers and not have to worry about transferring data from the EU to the UK. Therefore, it is imperative that the free flow of data is maintained.
“We believe the UK cannot retain its position as a global leader in data, technology and marketing if we do not have an Adequacy deal on future data flows with Europe.”
JK: Will it impact all the GDPR stuff we dealt with this year?
CC: “The GDPR has been implemented in the UK via the Data Protection Act 2018 which will remain the law in the UK. However, without an adequacy agreement in place, UK businesses and other organisations would need to find an alternative route to retain the free flow of data with the EU.
“This would require an alternative legal basis such as model contract clauses and industry codes. On this latter point, the DMA is working in collaboration with the Federation of European Direct and Interactive Marketing Associations (FEDMA) to mitigate the risks of no Adequacy by having a FEDMA Code of Conduct endorsed by the European Data Protection Board which would be available to UK companies via the DMA.
JK: Will we be more exposed when out of EU jurisdiction?
CC: “The Government has committed to parsing EU laws into UK law, which should mean a level of consistency for the UK, its citizens and its businesses. The most important thing is to maintain the free flow of data between the UK and EU, as any disruption to this may cause harm to businesses or lead to them relocating.”
“In short, a no-deal Brexit is antithetical to the interests of the data and marketing industry as a whole. A no-deal on data would cause immediate and complete ceasing of UK data-flows with EU countries, a practice through which enormous amounts of business is conducted. Indeed, 75% of the UK’s cross-border data flows are with the EU. Having lobbied this position for months, we know that the government understands the ramifications of this. We shall continue to impress upon the government and our EU partners the importance of getting a deal on data.
“For example, many UK businesses use cloud computing providers that store data in the EU and in the event of a no-deal or lack of an Adequacy agreement it may not be possible to continue to transfer that data. For the UK business, this would mean a need to find an alternative supplier or means of accessing that data, either way disrupting their businesses. For the cloud computing provider too, this would result in potential disruption, need to make significant changes to their processes and even loss of business.”
JK: Will new laws be needed to protect people’s data?
CC: “No. the Government recently passed the Data Protection Act 2018, so the UK has a robust data protection framework that can be trusted.”
To read about our ongoing work for the DMA, click here for our case study.