No deal, not adequate

Over two years after the UK ratified the UK Data Protection Act 2018 and brought into law the EU General Data Protection Regulation, we face a new era of uncertainty.


Why I hear you say?  We spent all that time preparing for GDPR, what now?


Although the UK DPA 2018 is based upon principles of the EU GDPR, what you probably have not picked-up in the news, is that no negotiations about our laws being “adequate” have started yet. As when we exit the EU (no matter of hard Brexit, soft Brexit, customs union Brexit, Norway+ or Canada+ style deals), we are not able to start negotiating data protection adequacy, until an outcome has been reached.


How long will this take?  Going by previous negotiations this could take between two to four years, albeit that UK DPA 2018 is a bastardised version of EU GDPR, some elements may be debated for some time.


So what do we do in the meantime?  Your previous assessments privacy impact and contractual adjustments are the core of your previous hard-work, so this will not be a “do-over”.


Concentrate your efforts on your contracts with whom your data resides.


Good data privacy clauses in your contracts are still the core of good practice. It’s not about being in or out of the EEA; what matters is your good information governance practices.


Do you use EU based data storage and service providers?  Look at your data flows and see where they exit and enter the UK.


Do you have clauses or safeguards in your contracts and information governance practices if you transfer data to third countries?  Review your contract clauses, amend your privacy notices, inform your customers and be transparent.


Rest assured that we will be waiting a long while for that elusive “adequacy” agreement.


At the end of the day, no matter what the politicians do or do not, know your and your customer’s data journeys.  Know how you manage that data and know your information governance practices.