The UK’s Information Commissioner’s Office has confirmed it will still honor binding corporate rules on data protection.
Although the UK has been in Brexit limbo for the last year and a half, with no clear end in sight, the Information Commissioner’s Office (ICO) confirmed this week that firms who have set binding corporate rules (BCRs) that have already been approved by an EU data protection authority will not have their status cancelled. It’s an important note to companies who may be concerned about what would happen once the UK officially leaves the EU.
This reassurance from the ICO deputy Commissioner James Dipple-Johnstone is also noteworthy to those organizations who might be putting off compliance with EU regulations, such as the General Data Protection Regulation (GDPR) that will come into force on May 2018. This is because the ICO has also confirmed that any organization applying for a BCR from now on should make sure applications are in accordance with new GDPR guidelines in order to be authorized.
He said in his blog that „New GDPR-compliant applications submitted from now will receive approval after May 2018, once the new legislation is in effect.“ And he also confirmed that updated guidance for these applications will be available before the end of the year.
It means that any UK company wishing to move sensitive data on European nationals out of Europe will need to prove that they abide by EU data protection rules, regardless of the final outcome of Brexit.
Despite this, it is thought that only 40% of global organizations will be fully compliant by the May deadline according to the IAPP-EY Annual Privacy and Governance Report 2017. For tips and advice on how to get started, the ICO offers a guide and we’ve also put together a handy timeline to help.