The missing GDPR/BREXIT piece?

No, this is not another one of those articles about whether GDPR matters because of BREXIT. I think most sane people agree the point is moot and DPA (2017) - or whatever it will be called - will at least mirror the requirements of GDPR.

This post/question isn't even about being GDPR ready and how I can help your firm/project meet the May deadline (shameless plug out of the way for those of you who may want to engage me).

Those of you who have sat in on a meeting/call I'm involved in will be all too aware that I am rarely unsure of my own opinion. Those of you who know me well will know that this is normally because I have done my research first.

Discussions around servers hosted in the UK, EU or US, storage timelines, deletion capability, transfer across jurisdictions, portability of data etc, DPIA, LIA, Process Data Inventory and Data Mapping etc have all featured prominently in every GDPR related article on LinkedIn etc for some time now.

Information and opinion about all of these are freely available and very interesting on an intellectual level - at least to me.

I am not ashamed to admit to having read all 88 pages of

 REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) 

and to have a copy which is covered in highlighter and notes (some illegible, scribbled out or completely meaningless to me days after having written them).

I have the Data Protection page on the EC's website bookmarked (will definitely be keeping an eye on EU US Privacy Shield).

EU-US Privacy Shield

However, amongst all the noise about GDPR, there is one topic I have very rarely seen being discussed; even on LinkedIn where everyone seems (or claims) to be some kind of expert.

It's a topic which has bothered me since I first read about it and had hoped to see more about.

Article 27 Representatives of controllers or processors not established in the Union

Maybe BREXIT is a long way away. Maybe the experts think we can only focus on one thing at a time, but why is this not all over the place?

If, post BREXIT, my e-business sells to EU nationals will I need to appoint an EU Representative?

The UK will be outside the EU. There is no UK EC Privacy Shield Working Group I know of.

Will business end up with further layers in a EU-UK Privacy Shield type scenario?

What about a UK-US Privacy Shield workload?

Clearly, DPA (2017) should/could take care of all of the last two but what do I do about Article 27 and when do I do it?

The large multinationals will be okay. What about my friend who sells loads of eLiquid online to Irish customers? Who is talking to him about the potential impacts and why GDPR does matter even despite BREXIT?

Again, those of you who know me will understand that I often know (or think I know) the answer before I ask a question like this.

As always, I have my opinions. As always, I am willing to be proven wrong.

Is there anyone out there who can assure me this is at least being discussed. The world is changing. eCommerce and the Cloud can make every business multinational and multi-jusridictional.

Personal Data is Gold. Protection of it is very important. Is enough being done to let small businesses know about the impacts - potential and real - that GDPR, DPA (2017), EU US Privacy Shield and their ilk will have on them?

Print   Email


Stay In Touch With Us

Subscribe to our news letter to get the latest news from Fidabona