In November, 4D Data Centres held our first event featuring an expert panel discussing current issues. Our panel tackled the complicated subject that is Brexit, specifically: what does Brexit mean for your company’s data?
Below is a summary of the presentation our CEO, Jack Bedell-Pearce, gave on the potential impact Brexit could have on data sovereignty.
Brexit, data and caveats
With each party promising a different outcome post-general election, and none of these promises being a guarantee, there is no way to predict whether we’ll be leaving with a deal, with no deal, or leaving at all. Each Brexit outcome means different things for your data.
A brief history of data transfers
Data transfers between the UK and Europe are currently pretty seamless. EU data protection law has three mechanisms under which data can be stored, processed and transferred between countries:
- Safeguards – in other words, legal mechanisms, such as Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs) or a Code of Conduct (CoC)
- Exceptions – Under certain circumstances, for example having an individual’s explicit opinion, you may be able to make a restricted transfer
- Adequacy – if the EU has ruled a country ‘adequate’, then that country has the seal of approval (companies still have to abide by GDPR or their own local data protection rules)
That feeling of inadequacy following break-up
- Brexit with a deal – Most likely the ‘adequacy agreements’ between the UK and the EU would be continued. A hard-Brexit, could change this depending on whether data transfers are part of the negotiations, or if the UK decides it wants to diverge its rules on data protection away from GDPR.
- No deal Brexit – The UK would be designated ‘third country’ status making us non-adequate. To regain that ‘adequacy’ status, the UK would have to re-apply. Most experts agree it would take between 18 months and three years for the UK to regain adequacy – so what would happen in the meantime?
The direction of data is decisive
In a no-deal Brexit, the direction of data will matter a lot.
UK to EU:
- The UK government has stated transfers of data from the UK to the EEA will be permitted.
- There is a big caveat, however, as the ICO says the government “will keep this under review.”
EU to UK
- As a result of losing the UKs adequacy status, companies looking to store personal data in Europe and transfer it back to the UK will have to arrange one of the three ‘appropriate safeguards’:
- Standard Contractual Clauses (SCCs) are by far the easiest mechanism for companies to use. However, they can’t be modified, and it’s recommended you get a lawyer to help you with this process.
- Binding Corporate Rules (BCRs) set out the rules under which a company can transfer personal data internationally, but only within its organisation – helpful if you have staff all around the world but process their payroll in Dublin.
- Codes of Conduct and Certification Mechanisms (both introduced in GDPR) allow for companies to apply appropriate safeguards. The rules surrounding CoCs and CMs are complicated, and as of Nov 2019 the ICO is stating “no approved codes of conduct are yet in use” so, it is advised you seek legal advice.
What can I do to prepare?
Aside from speaking to a lawyer, the first step is to carry out a thorough data audit. You should have done this already as part of your GDPR preparations, but it’s essential that you continue to know where your data is physically stored.
This is particularly important if you store any personal data with an international public cloud provider (AWS, Azure, Google) or with large Software as a Service providers (Salesforce, Xero). It is critical that you find out where they store your data.
Additionally, if your data doesn’t need to be outside the UK, why not repatriate it back? To guarantee your data is in the UK, you can use one of the many ‘UK only’ data centre and cloud operators, such as 4D Data Centres. Companies like ours can help with the migration process, we even have data centres near Gatwick Airport and Heathrowif equipment and engineers need to be flown across. We can also help find the best solution for your business.
- Physically moving servers to a UK data centre (Colocation)
- Building a dedicated cloud environment (Private Cloud)
- Using a UK based public cloud solution (like 4D Cloud)
- Or a combination of any of the above (Hybrid Cloud)