Assured?
I don't see how the UK ICO can assure anyone of anything with regard to Europe post Brexit.
Multinationals whose data protection compliance was rubberstamped by the UK's privacy regulator have been assured they won't be stripped of the authorisation after Brexit. Firms that wish to move personal data out of the European Economic Area have to demonstrate that they abide by EU data protection rules. They can do this …
If the ICO approves the corporate rules as being GDPR-compliant, and if GDPR doesn't change, the rules must necessarily continue to be GDPR compliant. It's the same situation as would apply to a country that isn't in the EU today, if their rules are accepted as GDPR compliant, they'll continue to be unless something changes.
What the ICO is saying is that it isn't going to strip anyone of approval post-Brexit.
Obviously the EU can change the GDPR rules if it wants to screw around, but that would upset a lot more places than the UK.
The fundamental principle of BCRs is that the organisation has a headquarters within the EU that will accept liability for breach of those BCRs. If an organisation's headquarters are based in the UK then it will not satisfy that requirement after Brexit.
I don't know if that means the BCRs will be automatically void (as opposed to voidable at the whim of other EU regulators) and I doubt the ICO knows the answer either.
However, one does suspect some of the rallying cries for UK BCRs are based more on professional self interest than a detached analysis of the provisions to grandfather authorisations in the GDPR.
I'm still trying to get my head around all the subtleties of Brexit and GDPR but unless I'm mistaken, without some kind of deal we have not currently got anything in place to assess the data adequacy of third countries. Ok, the EU should be a rubberstamp, but India doesn't currently have an adequacy agreement from the EU either. Does this mean that as of March 30th 2019 potentially any company that has outsourced call centres or other data processing functions to India (other 3rd countries are available) are in breach of GDPR?
"Does this mean that as of March 30th 2019 potentially any company that has outsourced call centres or other data processing functions to India (other 3rd countries are available) are in breach of GDPR?"
Stop questioning or it'll be your fault if it all fails.
Brexit means Brexit.
Sovereignty. Will of the people. etc.
Dear Anonymous Coward,
From the position of the people who's jobs have been offshored to India then the EU finding the outsourcers to be in violation of the GPDR, resulting in huge fines to those companies until they onshore those jobs would be a positive and plausible reason to believe"we'd be better off in the EU" because they are tackling problems.
Not that this actually has anything to do with exiting from the EU anyway, but screaming overused cliques at people does absolutely nothing to persuade them that you have a point, especially when in this case you have no point at all beyond being bitter that a democratic vote didn't go the way that you wanted. This makes you look petty and pathetic, and just entrenches opposition to you. Since in this case the opposition is in fact demonstratably in a majority, might I suggest a change of tactics to something more akin to adult communication might be in order if you wish to persuade adults to change their minds? Insults aren't a particually effective way of getting people to change their minds on an issue.
Yours faithfully,
PS. I don't actually think that outsourcing will be found to cause a breach of the GPDR. That said, if some Indian contractor nicks a database then the company is going to be for the high jump with fines!
@Peter2
"you have no point at all beyond being bitter"
Based on your post, a pot and kettle analogy springs to mind. Does anyone else find it strange how Brexiters won the vote but often make such angry, ranting posts? Its almost as if Brexit is a proxy for a wider set of complex problems (none of which will actually be solved by Brexit).
P.S. I also agree that the GDPR shouldn't have much impact on outsourcing to India and other non-EE jurisdictions. Schrems III might but that would create and existential problem for EU data protection laws.
Except the ICO will no longer be in the EU post Brexit, so will it's approval count anymore?
Anyone whose business involves processing lots of data from the rest of Europe should consider moving that side of their operation to somewhere in the rest of Europe.
Once again May is looking bad.
In every sense of that sentence.
I have customers, right now, asking for help with moving their operations to datacentres in mainland Europe because if things don't go to plan, Brexit is an existential risk. They can stay put and hope for the best, or move everything and eliminate the risk.
Some are also considering move customer interfacing roles there too; actual people; because it's not at all clear that they'll be able to legally work with customer data from machines in the UK post Brexit. Call centres that have moved back from India might now be off to Hungary and the Czech Rep.
Anon because customers.