We decided to take a little break from fraud in this episode to focus on Brexit instead. Specifically, we were interested in how Brexit will impact UK firms in regards to data. So Gerry called up Eric Klotz, who is something of a data legislation expert, to get some answers about data privacy, the new EU GDPR and how Brexit will impact legislation and UK firms.
Kelsey: Welcome back to the Ravelin Fraud Academy podcast. This week we’re focusing on everyone’s favourite topic: Brexit. In the fallout from Brexit one area that has received little coverage is the impact leaving the EU will have on UK firms and DATA. Will the complex treaties and legislation still hold sway? Will European companies struggle to buy from UK firms? Will UK firms have to change their data storage location? Ravelin CMO Gerry Carr is joined by lawyer Eric Klotz, a data legislation expert, to address these questions along with any potential implications.
Gerry: I think if you could start Eric, by giving us a little about your background and expertise in this area.
Eric: Sure Gerry, nice to be invited. I’m a lawyer and I trained with a large UK company, a law firm called Bristows. I got heavily involved in data protection very early on. I’ve since worked with a couple of technology companies with a large focus on data protection. I work with Datahug and they work with multi-nationals and companies across the EU in rolling out software, dealing with regulators in France, compliance issues in Germany. I’m currently with Conversocial and I do a lot of privacy work as part of that.
Gerry: Okay, That’s great. So let’s get the crystal ball out. What’s your best guess for what’s going to happen? What the implications of Brexit are going to be for UK’s data compliance position?
Eric: I think the good news is, some people may have already read this but, the UK, the ICO has confirmed that regardless of Brexit, they will be implementing the GDPR; it’s due to be implemented in May 2018.
Gerry: Sorry Eric, GDPR is what?
Eric: The General Data Protection Regulations, the new data protection regulation in Europe. So, despite that and despite Brexit, the UK Government, or the ICO at least, has said that, because Brexit won’t even have happened until after the GDPR comes into effect. The ICO will be assisting in implementing that in the UK. So it seems like in the short term there won’t be any major change in the UK departure in the context of data protection.
Gerry: I’m not sure how these things work but do you see this sort of data protection laws as sort of outside of politics? Are these unlikely to be things that are on the negotiating table when maybe it’s a miracle in a few month’s time?
Eric: I think that’s right; you have to appreciate that the UK has been in involved negotiation towards this new regulation and it’s broadly in line with the spirits of current UK law so it would be highly unlikely, I would say inconceivable for the UK to entirely scrap that. So, I think it’s unlikely to be a major talking point; that said, obviously, in the future in the more medium term after the GDPR has been implemented, one could imagine a scenario where the UK deviates slightly from that. One really important point to note though, is that the EU has traditionally been considered to have a high watermark in the context of data privacy. Under the new law the scope of the GDPR is far wider than ever before such that its going to capture most multinational companies. The scope now is going to cover, effectively any company that predeceases EU data or data regarding EU citizens. So, you can see how we’re going to start seeing large US companies that don’t necessarily even have a major footprint in the EU but will sell it to EU consumers or having to comply with EU data protection law. So, my view is that this notion of Brexit and how it will impact UK companies compliance with EU law is bit of a red herring because regardless of any deviations the UK may make, the UK companies are always going to necessarily need to comply with the GDPR, the new EU regulations, if they want to do business with the EU customers. In the medium term if the UK ever did change its law, what would happen is that UK companies would possibly have two tiers of compliance requirements.
Gerry: That’s a nightmare scenario. One of the sort of structural past potential problems is that, for instance, and we’re very common in this; we are a UK based startup but our data is stored in Dublin and Amazon. Is that sort of dual location of data, do you think that’s going to become a problematic structure or will that be business as usual?
Eric: I would have thought that it would be business as usual. Obviously with the new data protection laws in the EU, data transfers, in recent terms, are one of the most hotly talked about topics and a lot of people feel that the law regarding data transfer and where data is stored does not reflect the reality of most of their businesses and there was a real opportunity missed that makes a lot commentators feel that they could have changed that but the current data transfer will largely be unchanged but on the basis that the UK will be adopting the GDPR as confirmed in the short term it should be business as usual really. In the median term obviously, if there was any change to the UK position, most commentators would assume that, at least they’d be seeking inadequacy determination equivalent to other countries.
Gerry: Okay, while we have you on the line, why don’t you give us two minutes on what the implications of what GDPR are likely to be, or is that too big of a question?
Eric: I think that one of the main things in what I said is that you’re really going to see because it’s extraterritorial, it’s not something that is going to be limited just companies with their base in Europe. It really is extra-territorial so that’s a really profound difference. It’s going to become some that most global companies are going to be aware of and be looking to comply with. So, other main points are fines are increased dramatically so large multinationals can be fined for up to 4% of global turnover or €20 Million so what that will mean is that there’s just going to be more of a compliance burden. You can imagine there’ll be more compliance and privacy individuals involved in the procurement cycle and things like that. One other change is that certain companies are going to be required to appoint a DPO, Data Protection Officers which they already do in Germany but it’s something that’s quite new. Things like data transfers are largely the same and aren’t changing too much. You can be assured that a lot of the core mechanics are still going to remain the same. So, beyond the kind of increased optics, increased compliance, I think they’re at a high level point.
Gerry: So the bad news here Eric, it sounds like is that the Brexit is not going to churn out a whole lot of new work for data lawyers.
Eric: Not specifically, I think that the GDPR is more relevant. But Brexit in itself, Given that the UK is adopting the GDPR, Brexit shouldn’t have a material impact in the short term. Obviously over time it could but at the moment businesses want commercial certainty and it seem the government are keen to provide that and I think both commentators would be skeptical in thinking that GDPR would be on the table in any kind of negotiations or trade discussions because it seems like it’s going to be adopted in full
Gerry: Okay, That’s perfect Eric, thank you very much for your time.
Eric: No problem, anytime.