Potential changes in the way UK businesses handle data of EU residents is one of the lesser-known consequences of Brexit. Much focus has understandably been on the big issues such as the Northern Irish border, complying with standards and fishing rights. Yet any alteration to the current data laws UK businesses must abide by will have far reaching implications, impacting where information can be stored and how it can be shared.
It is still unclear what this post-Brexit data agreement will look like. While it is hoped that the EU will deem the UK as a trusted location for the data of its citizens, meaning little change in the relationship, there is every possibility that this will not be the case. Fortunately, there is a slightly longer deadline for the decision about our data relationship with the EU compared to other aspects of Brexit, albeit not by much. The well-publicized deadline for the UK to leave the common market and the customs union is midnight on Dec 31, 2020. However, the remit of the GDPR extends to Jan 31, 2021.
Although such uncertainty is difficult to prepare for, businesses can take several steps to ensure they are ready for whichever way the penny drops. This includes understanding how its data flows, ensuring contracts can be amended ahead of time and that unstructured data is protected.
In line with Europe
Ever since the enactment of the Data Protection Act 1984, the UK has aligned its data privacy laws with its European counterparts. This commitment saw the UK signing up to the GDPR despite having already begun the process of leaving the EU before the legislation came into force. Indeed, the UK Government has confirmed that it will maintain the strict standards of the GDPR once it has left the common market and the customs union.
Yet after Jan 31, 2021 the UK will be viewed by the EU as a ‘third country’ in the eyes of GDPR, where data will only be allowed to transfer here under special agreements between organizations and their partners. There is the possibility that the EU will still recognize the UK as having adequate data protection for information to be sent there without additional safeguards, but whether this will happen or not is still unclear.
Judging UK data protection adequate
What could potentially jeopardize the UK’s status of data adequacy comes from an unexpected quarter. Schrems II was a landmark case in Ireland brought forward by Max Schrems against Facebook for processing the personal data of EU users in the US. The court agreed with Schrems that data was not safe there due to the US’s clandestine surveillance practices of seizing data of private citizens without providing any notice or recourse. As this violates a principle aim of the GDPR, protecting data from exploitation or misuse, This led to the collapse of the EU-US Privacy Shield Agreement, which prevented Facebook along with other organizations from sending EU data to the US.
This could affect the UK because it has been implicated as a partner in several US surveillance programs. When combined with the UK’s own surveillance laws, such as Regulatory Investigatory Powers Act 2000 (RIPA), the EU could be presented with a picture that shows the UK as a country that cannot be trusted to ensure the safekeeping of citizens’ data.
To cope with the approaching uncertainty, businesses must act now and implement the following steps.
1) Understanding data flows
To ensure they can comply with whatever regulations they are presented with after January, it is imperative that businesses know where the personal data they are responsible for is. This includes where it is stored, who it is sent to and in which country they are located. It is important not to forget those service providers that host corporate data, such as Office 365 as these often store information in servers that are in other jurisdictions.
While all businesses should already be doing this as part of their GDPR obligations, it is worth double checking. In the light of Brexit, many service providers are moving UK customers to servers outside the EU, such as Google, which relocated UK data from Ireland to the US earlier in 2020.
2) Understanding vendor and client agreements
New regulations about how data is handled will mean that agreements with clients and vendors will need to be amended to guarantee compliance. To ensure they can do this quickly and effectively when the situation arises, organizations must examine their contracts ahead of time to know exactly what needs to be changed. It is also worth having a discussion with those affected vendors and clients to highlight what changes might be required to avoid any unnecessary disagreements or delays.
3) Ensuring the protection of unstructured data
If the UK ends up not achieving adequate status, there will be severe limitations regarding what information can be shared between organizations in the two jurisdictions for processing. This could result in having to redact or remove specific information from documents before they are sent elsewhere. Achieving such a task manually takes several hours to complete. Not only does this slow down the data sharing process, it also takes staff away from more business-critical tasks. Instead, businesses should look to automate the process to save time and money.
With little sign of getting any clarity soon on what the UK’s data relationship with the EU will be post Jan 31, 2021, it is important that businesses get themselves ready to cope with any possible outcome. To achieve this, they must invest the time and energy to ensure that their data transfer processes and protection capabilities are robust enough to quickly adapt to new regulations. Failure to do so can result in the inability to handle and process the data necessary for the running of their business or they could fall foul of the regulator. Using the three steps outlined above, businesses can ensure that they are adequately prepared whatever the EU decides.