Privacy Shield and GDPR explained: What does Brexit mean for Data Protection in health?

A new pact between the US and the EU became law in July 2016, regulating the transfer of data across the Atlantic. Named the EU-US Privacy Shield, the new data protection agreement is intended to reassure Europe about the US’ handling of its data – especially around government surveillance and intelligence gathering.

Replacing the Safe Harbour Framework, which was rejected in 2015, the updated framework includes some additional guarantees; including:

• Commitment from the US to not use EU personal data for mass surveillance
• The creation of a Privacy Shield Ombudsman to make it easier and cheaper to resolve disputes from EU members
• An annual review of the framework, by both sides
• Additional transparency for Europeans about how their data will be used.

Another EU agreement is also due to come into effect in May 2018, which aims to provide harmonisation of data protection across the member states. the General Data Protection Regulation (GDPR). But these are both European legislation, so what does Brexit mean for UK data protection in health?  

Five things you need to know about Brexit and data protection

Global healthcare providers and manufacturers, who rely on the transfer data between continents and across Europe, are likely to be confused about where Brexit leaves them with compliance and protection. Here are five things you need to know:

1. The UK has its own Data Protection Act (DPA) 1998. The DPA ensures the UK is safeguarded should we leave the EU before GDPR comes into play. However, the Information Commissioner’s Office (ICO) emphasised: “having clear laws with safeguards in place is more important than ever given the growing digital economy”.
2. Post-Brexit UK may have to adopt EU data protection rules. The GDPR framework will only apply to the UK if we are still in the EU in 2018. If the UK wants to trade on equal terms with the EU post-Brexit, UK data protection law would need to be reformed to bring it up to the standards of GDPR, according to the ICO.
3. We may still accept the Privacy Shield. It will be down to the ICO to determine whether it thinks the Privacy Shield is adequate, and whether a post-EU Britain would adopt a similar pact with the US. An ICO spokesperson said: “With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens”.
4. Convention 108 still applies to the UK. The UK will continue to be a member of The Council of Europe, which is made up of 50 countries – including some that are not in the EU such as Iceland, Russia, Georgia, Turkey and the Ukraine. This affords protection to individuals in the transfer of data between members.
5. We will remain in the EU for a minimum of two years. After Article 50 of the Lisbon Treaty is invoked, which kick starts our official exit of the EU, there is a two-year period where we will negotiate our leave. Until then, all existing legislation (including GDPR from 2018) will continue to apply.

Here is how you can ensure you’re protected:

• Assess the potential impact of GDPR and Privacy Shield on your organisation
• Raise awareness among your organisation that things are changing
• Ensure you have a record of the information you hold, where it comes from, who accesses it and who you share it with – plus the legal justification for each action
• Check your privacy notices, they may need updating
• Do your procedures meet enhancements to subject rights? For example, the right to have personal data erased or the reduced timetables for dealing with subject access requests?
• Review your consent models to ensure they are compliant with the GDPR requirements
• Decide whether you require a dedicated Data Protection Officer.

Monmouth offers a full range of support to help organisations meet their data protection requirements. You can find out more here.