The leaves are beginning to turn and there are already Christmas bits in the shops, so we’re reminded that the end of the year is not that far away – and what happens at the end of 2020? It’s the end of the Brexit transition period and time to see what life outside the EU looks like.
The news is full of trade deals and border controls, but one of the things that will affect any size business with customers or employees in the EEA (the EU plus Iceland, Norway and Liechtenstein) is data regulation. It has the potential to be a huge headache.
Remember the last data regulation headache?
The General Data Protection Regulation (GDPR) was brought into force by the European Commission in 2018 to give people more control over their personal data. Among other things, the European regulation restricts the transfer of data outside the EEA – which will include the UK as of January 2021. This could cause a great deal of disruption to businesses across Europe that are accustomed to transferring data freely between the EEA and the UK.
Much rests on the European Commission’s decision on the adequacy of British data protection legislation. Though the EC has already committed to completing an adequacy assessment, there’s a chance it won’t be finished before the transition period ends, which means everyone needs to prepare for what might happen come 1st January 2021.
If the UK is ruled inadequate by the European Commission (or the decision isn't made by Jan 1st 2021) then it is the responsibility of individual companies to have their international data transfers validated using standard contractual clauses or binding corporate rules (more on both of those below).
Here, we provide a list of things data specialists need to do before the end of the Brexit transition period.
5 Tips for Small Businesses
1. Get to grips with your data
Do you know what data you have on file, what you continue to receive and where it all comes from? Personal data could be about your customers, your prospects, your suppliers and your employees. Carry out a full audit so that you know where you stand.
2. Check you are in compliance with GDPR
There was a massive push to achieve GDPR compliance in the run up to implementation in May 2018. But two years have passed and a lot has been going on (hello, global pandemic), so it is worth checking that all the systems you put in place are working as planned. UK GDPR compliance will help see you through almost all of the changes that may result from the end of the transition period.
3. Find out where your data is stored
If all your data is stored on IT infrastructure in the UK, this will be an easy one to answer. If it’s on the cloud, you need to find out where the cloud provider is storing your data. This includes cloud-based tools, such as Teams and Salesforce, which store personal data.
4. Establish work-arounds in case the UK is not granted adequacy
If you receive data from the EEA, data storage and use must comply with EU data protection laws. In order to keep the data flowing at the end of the transition period in the event of no adequacy decision, you will need to take some other action, such as the use of SCCs (standard contractual clauses). These are exactly what they sound like: a standard contract between your business and the sender of the data. SCCs are typically the best option for SMEs. You can build one or use a template from the ICO here.
5. Keep updated with the latest news
Discussions between the EU and the UK are ongoing and many decisions will not be reached before the end of the Brexit transition period. Make sure you are up-to-date with your responsibilities, and don’t forget to update your privacy statement and terms and conditions in accordance with the latest information.
5 Tips for Larger Businesses
1. Prioritise your data flows
If your data flows are many and complex, you need to prioritise those that you cannot afford to be interrupted. Business-critical data transfers that would be compromised by no adequacy decision should be first on this list for safeguarding.
2. Establish safeguards
The ICO recommends SCCs as the simplest way to ensure data transfers can continue uninterrupted once the transition period has ended. Binding corporate rules (BCRs) are another option for restricted transfers from the UK but within a corporate group or to a group of overseas service providers. BCRs will need updating post-transition to reflect that the UK becomes a ‘third country’ outside the EEA.
3. Think about a workaround for data flows that can’t be safeguarded
If you cannot safeguard the data transfer with any of the above arrangements – or if you can’t do it in time – then the ‘safest’ (in regulatory terms) place for it is in the country the data originated from. If you can, segregate your data by geography and store it in IT infrastructure in its country of origin. That way, data transfer regulations are not an issue.
4. Make sure you have an EEA representative if you need one
For companies selling goods or services to individuals in the EEA, but without any offices or personnel located in the EEA, you may need to appoint an EEA representative to act on your behalf in regards to EU GDPR compliance. This may be as simple as instructing a lawyer located in one of the countries where the data subjects are based.
5. Start now
If you haven’t already started preparing, act now. The IT and legal work will take time and you need to be ready for no adequacy decision – or a non-adequacy decision – by 1st January 2021. Lost time could mean lost business.
UK citizens data is best stored in the UK
We anticipate a general move worldwide towards a kind of data nationalism, where all countries prefer their citizens’ data to be stored within their borders. Certainly, in terms of keeping up with regulatory changes and ensuring compliance, it is the simplest option.
If you are currently keeping UK citizen data overseas or on the cloud, this could be a good time to move it back to UK territory. Apart from anything else, acting fast will beat the rush as more businesses follow suit after the Brexit transition period. Working with a data centre will ensure a smooth, straightforward data migration, giving you one less thing to worry about. As an alternative, private cloud services also give you the freedom of the cloud with the reassurance that you always know where your data is and who has access to it.
As a 100% UK-based colocation and private cloud provider, we’ll be happy to talk to you about the best solution for your business.