Five Years Post-Brexit: Navigating GDPR Services in 2023

It’s five years since the Data Protection Act 2018, the UK’s ‘version’ of GDPR, came into force. If you sell to the EU, how has it affected you? We consider the importance of GDPR services in getting your sales strategy right.

When did Brexit happen? Depending on your point of view, it was either June 2016 when the referendum took place. Or it was 31 January 2020, when the UK formally left the EU following a long and frequently fraught period of negotiation and transition. If you spend your life dealing with data protection, however, there’s another date: 25 May 2018.

That was the date the Data Protection Act (DPA) 2018 came into force. It was the UK law that effectively copy and pasted the EU’s General Data Protection Regulation (GDPR) into a UK-specific version and laid out the data relationship between the EU and UK moving forward. Five years on, what’s the situation now regarding GDPR services?

The core of data protection

We’re going to spend much of the rest of this post exploring how UK data protection laws have evolved or are in the process of evolving post-Brexit. Yet it’s important to remember that, in the UK and EU, the core principles of GDPR still apply. Transparency, consent, data minimisation, and security remain central pillars of the GDPR. With the central purpose of the DPA “to empower individuals to take control of their personal data and to support organisations with their lawful processing of personal data”, such matters remain central to the DPA too.

Yet there are now differences between the two laws – and those differences are only likely to grow. The differences aren’t purely an effect of Brexit. Technological advancements (most obviously AI) are also changing the way the law, individuals and businesses approach data privacy and, by extension, the issue of GDPR services. We can sum up those changes as follows:

Changes in GDPR Compliance Post-Brexit

Pre-Brexit, as part of the EU, UK businesses didn’t need to take specific steps to address data protection when dealing with EU members because the UK was an EU member. Perhaps the most obvious post-Brexit change has been the need for an EU GDPR representative to operate on behalf of the UK organisation within the EU.

Yet the very purpose of Brexit was to enable the UK to forge its own path, so we can expect things to continue to change. As an example of that change, the ICO ran a consultation exercise regarding anonymisation, pseudonymisation and privacy enhancing technologies (PETs), and guidance on PETs for data processing officers has now been published.

That’s a clear point of difference between the UK and EU and it certainly won’t be the last. So when you’re looking for data protection/GDPR consultancy, it’s essential to choose providers who are abreast of the changes, understand them, and can help you adapt your compliance efforts to the new post-Brexit regulations.

Embracing Technology for Better Compliance

We’re often asked about AI in terms of ensuring data protection compliance when putting it to work within a business. What’s so far been largely overlooked is the potential for AI and machine learning to revolutionise how companies manage GDPR compliance, streamline processes and manage potential risks.

When seeking GDPR services, consider providers with the know-how to apply AI to improve your compliance efforts (for example, by making data mapping more efficient, automating consent processes, and enhancing breach detection).

Managing Data Transfers with Caution

Post-Brexit, the rules around transferring data between the UK and the EU have become more intricate. It’s true that (with certain important exceptions) data adequacy rules mean data can flow freely between the EU and UK, but there are important additional steps to take in terms of mapping where your data flows, and further steps to follow when your data travels beyond the EU.

When choosing a GDPR service provider, it’s important to ensure they have experience dealing with international data transfers, and that they can guide you through the complexities of moving data across borders, so your processes remain simple, and your business operations remain compliant.

Comprehensive Audits for Improved Compliance

A data audit has often been the starting point for any organisation’s data protection journey. Five years after the DPA, and with the growing impact of Brexit, AI, and a global landscape more attuned to data protection, it’s fair to say the depth and complexity of such audits has increased significantly.

As a consequence, the importance of the data protection compliance audits is even greater than it once was. If it’s some time since you completed an audit – or if you’ve never audited your data – it’s important that you put regular auditing in place. To help, it’s important to choose GDPR services that understand the evolving nature and importance of the data audit and can apply it to your organisation in a way that saves you time, minimises potential issues, and gives you a roadmap for making improvements.

A foundation for compliance

We started this post exploring which elements of data protection haven’t changed in the years since Brexit. As much as it’s important for any EU GDPR consultant to be on top of the evolving data landscape, it’s equally important for them not to lose sight of those central, unchanging pillars.

Consent. Transparency. Security. They remain every bit as fundamental to data protection as they always were. When selecting GDPR services, perhaps the most important criterion in choosing a provider is to ensure they commit to these fundamentals while keeping up with the changing times.

Explore how our GDPR services can support you now, get data protection advice or, for questions about your next steps, call us on +44 1772 217800.