Multinationals whose data protection compliance was rubberstamped by the UK's privacy regulator have been assured they won't be stripped of the authorisation after Brexit.
Firms that wish to move personal data out of the European Economic Area have to demonstrate that they abide by EU data protection rules.
They can do this by setting binding corporate rules (BCRs) on data protection safeguards and having them approved by an EU data protection authority.
According to the European Commission, the UK's Information Commissioner's Office has approved about a quarter of all BCRs to date, and there was some concern about their continued status after the UK leaves the bloc.
However, deputy commissioner James Dipple-Johnstone has now confirmed that "no BCR authorisation will be cancelled because of Brexit".
He said in a blogpost that the ICO would "continue to work together with other European data protection authorities for international transfers to be achieved".
But, with the incoming General Data Protection Regulation, effective in May 2018, organisations with existing approvals will need to make sure they are compliant with the new rules.
In addition, new applicants have been told to ensure their BCRs align with GDPR. Those already in the system may be contacted to ask them to update their submission.
Dipple-Johnstone also said that the group was working on its backlog "as quickly as we can", adding that the ICO was making changes to improve its service, including bringing on more staff, to ensure the "timeliness of application processing".
Meanwhile, an assessment of privacy governance by the International Association of Privacy Professionals and EY has found increased awareness – and spending – on GDPR as the date draws ever closer.
According to the survey (PDF) of privacy professionals, some 63 per cent of organisations are stumping up for training, compared with 50 per cent last year. They also plan to spend a mean $5m adapting products and services for GDPR.
However, the report said that just 40 per cent of organisations felt they would be fully compliant when GDPR comes into effect on May 25. ®