Is your data Brexit ready (deal or no deal)? The forgotten challenge.
Given how many challenges & threats have faced us all this year, it is perhaps not surprising that checking your data is Brexit ready has been overlooked by many.
Not only have your people & business been tackling challenges from the COVID-19 pandemic, but Brexit itself has been characterised by the lack of any clarity. Now, I’m not going to use this post to get political, rather sound a wake-up call for data leaders.
I do so for two reasons. Firstly, I fear that the Brexit impact on your data sharing & usage is lacking attention in the flood of Brexit coverage. Secondly, I’ve been approached by a few different leaders for advice, so I will share what I’ve discovered so far. Much is still unclear, but I hope this post helps you improve your planning.
What do you mean, Brexit ready, is anything really changing?
The first point I’d like to address is a misapprehension that nothing is changing. Over a year ago, I was in this camp. The UK had committed to including the core GDPR principles into UK law and so it seemed that alignment & business as usual was on the way.
Given the lack of media coverage since then, leaders could be forgiven for assuming that was still the case. However, as Elizabeth Denham (the UK’s Information Commissioner) made clear in her latest email, there is no guarantee that the UK will gain an ‘adequacy decision‘ from the EU at the end of the Transition Period (31/12/2020).
From 1st Jan 2021, the EU’s GDPR law will no longer apply within the UK. However, a very similar UK version of GDPR will have come into force from 11 pm of the night before. This will supplement the UK’s DPA 2019 & PECR laws which continue to apply. So, is all well. Perhaps not. If you need to transfer data ‘from an EEA country’ then how difficult this becomes depends on whether or not our Brexit negotiators achieve an adequacy decision from the EU. Read more to understand why ‘to the EU’ is already resolved.
Here’s a recorded webinar from the ICO that’s worth viewing to understand how this will work & where things could change:
What might I need to do to be ready for the worst-case scenario?
One of the things to check first is whether or not your business transfers data to/from an EEA country. Remember, this is not limited to overt sharing with a business obviously registered in an EU country. You also need to check where partners/suppliers who may think of as UK businesses actually store any data you share. If the server is located in an EEA country then you will be impacted.
Remember also that GDPR applies to the data protection rights of EU citizens wherever in the world their data is processed. So, other businesses will need to ensure that protections are adequate if data is to be started outside of the EEA. This is likely to require you to both evidence documentation of GDPR compliant policies & controls. Plus, contractual terms to ensure this.
This may include you needing to add GDPR-compliant Standard Contractual Clauses (SCCs) to your contacts with organisations with whom you share data. It may in some cases even require you to have a representative within an EEA county. The potential considerations of both & the overlapping impact of multiple laws can get complex. So, it is worth you checking how the ICO’s advice applies to your circumstances.
Online resources to help you find your way through the confusion
I recommend the following online resources to help you answer all the questions posed above, for your business.
(1) ICO’s Keep Data Flowing interactive tool
A helpful question-based tool that can guide you to what the SCCs you may need for each data transfer situation. Yes, folks, it’s more of that promised increased red tape as a result of Brexit (no comment):
(2) Linklaters’ blog post on latest guidance
As with the original implementation of GDPR, it’s wise to seek legal counsel too. Here is a helpful blog post from Linklaters (UK law firm) summarising the latest guidance available from both the European Data Protection Board (EDPB) & the European Commission:
(3) DP Network summary of UK Gov guidance
Despite the belated nature of guidance issued by the UK government, plus what is still unclear, it makes sense to read this too. Throughout the journey towards GDPR compliance (which is still not complete for most firms), the Data Protection Network has been a useful source of resources. In this blog post they summarise the latest UK Gov resources to help you understand what is meant by adequacy & the implications of two possible outcomes:
I hope that helps you get your data Brexit ready
As we close 2020, I hope the above post helps you plan in your business for both eventualities (with or without the UK being granted ‘adequacy’).
I know you probably have bigger considerations as a data leader, given the terrible challenges many have faced in 2020. But, as you perhaps pause to reflect, I urge you not to sleepwalk into this one. Please use the above resources to help you check any possible impact and have plans.
As I write that, I am reminded of the post that guest blogger William Buist wrote about the original implementation of GDPR in the UK. As he argues in that post, leaders need to see this as just another external change for which we need to be prepared. Perhaps worth re-reading that one now too. But, do sill have yourself a Merry Little Christmas in the meantime.