*Reassuringly dull cyber security e: info@normcyber.comt: +44 (0) 203 855 6215

UK on the brink of post-Brexit data protection divorce?


The UK’s relationship with the rest of Europe has had its fair share of ups and downs. From Agincourt to the Anglo-Dutch wars and beyond, we have always had what some might call a love-hate relationship with our European neighbours. In recent times, although it was a battle waged in the corridors of political power rather than the battlefield or high seas, the most obvious example of our conflicting agendas is the UK’s decision to leave the EU entirely in the form of Brexit. And while we may have left, the ramifications of this decision are yet to be fully realised.

At present, both the EU and the UK have their own General Data Protection Regulations (GDPR) which are, to all intents and purposes, identical. However, the UK has recently sent some pretty strong signals of its intention to live by its own data protection rules…

The rumblings of discontent

In 2020 the UK government published an updated National Data Strategy (“the strategy”). This claimed that there is a lack of clarity about “certain aspects of data protection rules and regulations” which caused particular difficulties for SMEs. In particular, the strategy stated that “businesses should not be driven to costly over-compliance or high risk aversion with respect to data sharing by unnecessary complexity or vagueness in the regulatory environment.”

The strategy said that, to tackle this, the government would work in partnership with the ICO to clarify aspects of the UK’s existing data regime that “generate confusion or inertia” to lift compliance burdens on businesses.

A public statement of intent

On 27 February 2021, an article written by Oliver Dowden, Secretary of State for Digital, Culture, Media and Sport (DCMS), was published in the Financial Times. Mr. Dowden, who is responsible for the UK’s data protection policy, referred to the UK having a long and proud tradition of defending privacy, and a commitment to maintaining world-class data protection standards.

Pointing out that the UK is no longer in the EU, he wrote “we do not need to copy and paste the EU’s rule book, the General Data Protection Regulation, word-for-word.”

The way forward

On 19 March 2021, the DCMS and the ICO signed a Memorandum of Understanding which recognises the roles and responsibilities of the DCMS and the ICO in carrying out adequacy assessments. The Memorandum says that the DCMS now holds powers to make independent UK data adequacy arrangements with new partners around the world, making it easier for organisations to send data internationally.

The ICO and DCMS have issued a joint statement: “Data transfers are vitally important to global economies and societies and through the granting of adequacy we will reduce barriers to transferring personal data internationally, while also ensuring that data continues to be safeguarded by high data protection standards”.

Time to prepare for G(dp)Rexit?

All of the above seems to strongly point to the UK developing, at least in some areas such as international data transfers, its own data protection rules. It is likely that, very soon, the government will announce priority countries for data adequacy agreements.

This will identify those countries that the government deems it safe to transfer personal data to – without the need for any additional security or contractual arrangements (such as SCCs) to be put in place. Whether this will include the US remains to be seen.

As for the wider implications, it isn’t time to throw the GDPR rule book out of the window just yet. The ability to transfer personal data securely, and to put adequate measures in place to protect that data wherever it resides, is essential to business transactions and operations across Europe and beyond. The sentiments and principles of the GDPR will remain in place for some time, even if the UK government does decide to assert its independence in the form of changes to the UK regulation.

The GDPR isn’t facing its Waterloo just yet, but UK and EU businesses alike would be wise to keep track of developments in data protection regulations in the UK as any changes are likely to impact their ability to trade and transact in the future.

Robert Wassall

Written by Robert Wassall
Robert Wassall is a solicitor, expert in data protection law and practice and a Data Protection Officer. As Head of Legal Services at NormCyber Robert heads up its Data Protection as a Service (DPaaS) solution and advises organisations across a variety of industries. Robert and his team support them in all matters relating to data protection and its role in fostering trusted, sustainable relationships with their clients, partners and stakeholders.

Appointing NormCyber as our virtual DPO has given Ferrero the best of both worlds – access to data protection experts who understand what we stand for as a business, without the hefty overheads usually associated with appointing an in-house DPO.

Harpreet Thandi
Regional Counsel, UK & Ireland, Ferrero

We were looking for a virtual DPO service that offered all of the benefits of a fully qualified data protection lawyer, without the overheads of an in-house hire. The DPaaS solution from norm. has been invaluable in helping us to ensure we respect the integrity of our customers’ personal information, while using it to continue to deliver differentiated products and services which support our growing customer base.

Mike Whitfield, Compliance Manager

CSaaS allows me to step away from multi-vendor management as the Security Operations Centre coordinates all of the technology for me.

David Vincent, CTO

We were in the market for an independent Data Protection Officer service that was well versed with both UK and EU regulators. We’re thrilled to have acquired this service knowing that an expert is available 24/7.

Suzanne McCabe, Head of Project Management
James Hambro & Partners

Norm’s penetration testing layer, along with the suite of CSaaS modules has enabled MA to exceed all its audit requirements for its major clients.

Rob Elisha, ICT and CRM Manager
Montreal Associates

The speed of your Data Protection Officer’s response was very impressive – it was far quicker than I would have expected even from an in-house DPO

Will Blake, Director of Technology and Analytics
CRU Group