The General Data Protection Regulation (GDPR) is the most significant and substantial updating of data protection legislation in Europe for three decades. We have previously predicted that in Western Europe alone GDPR would drive $3.5 billion in spend within security and storage software, with additional spend on services and cloud infrastructure. Is this threatened by Brexit?
GDPR contains an extra-territoriality clause, which means that any data processor handling EU citizen (personal) data is within scope of GDPR, irrespective of the geographical location of the data processing. UK firms handling EU citizen data will therefore still have to comply with GDPR, and technology firms selling to the EU, such as cloud and datacentre services, will also have to adhere to EU rules. IDC has spent the last year convincing US-based firms of the importance of GDPR and how it applies to them: the post-Brexit UK will be no different.
UK firms that do not deal with EU citizen data will not need to comply with GDPR itself. But we expect the UK to adopt its own law which is equivalent to GDPR, just as Canada and Switzerland have done, in order to reach the standard of equivalence that the EU demands in order to facilitate data transfers to and from the EU. In fact, the Information Commissioner’s Office has indicated as much. A failure to implement such equivalence will lead the UK down a path similar to that of the US, which is enduring the demise of Safe Harbor and a torturous agreement process with its replacement, Privacy Shield. This would severely affect UK firms’ ability to compete in Europe.
In short, companies should proceed with their GDPR planning on the assumption that they would either have to adhere to GDPR anyway, because they process EU citizen data, or that the UK government will implement laws that are essentially identical to GDPR.
While we wait for Brexit negotiations to conclude, UK firms handling EU citizen data should examine the use of model contract clauses and binding corporate rules to appease concerned EU-based customers, lest they seek to relocate services to one of the 27 remaining member states.
However, when it comes to the use of cloud services, many EU organizations prefer to be under the same jurisdiction as their cloud provider, and once the UK is not part of the EU, even though UK cloud providers can proof equivalence with GDPR standards, they might be ruled out because they are not governed by EU law. Brexit aside, many organizations have a preference to be able to go to court in their own country where they know the rules and procedures, as they perceive it as a lower risk approach.
In summary, Brexit does not create legal impediments to EU data being stored in the UK. But EU companies may prefer to have their data close to them, for pragmatic and perception reasons.
If you want to learn more about GDPR and its implications within the current European scenario, please contact Duncan Brown or Carla Arend. You can also find more insights about the current Brexit and tech situation from IDC’s Three scenarios for how Brexit will impact Information Technology spending in Europe.
In addition to this press release and posts, we now have a 35-page report on the impact of Brexit on UK as well as European IT spend available: The Brexit Impact on IT Spend in the U.K. and Western Europe: A Scenario Analysis. The report outlines the scenarios in more detail, the associated assumptions as well as the expected impact across hardware, software and services for each of the scenarios. If interested, please contact Sara Fernandez for more information.