Q&A: What does Brexit mean for UK data sovereignty?

We spoke to Ross Woodham, Director Legal Affairs and Privacy at Cogeco Peer 1, about the data issues currently facing businesses.

The UK’s decision to leave the EU has led many businesses into a period of uncertainty, while the details around the exit are ironed out by parliament. With the General Data Protection Regulation (GDPR) fast approaching and the newly stated EU-US Privacy Shield in place, where does this leave organisations?

We spoke to Ross Woodham, Director Legal Affairs and Privacy at Cogeco Peer 1, about what Brexit means for data sovereignty and how to tackle the current privacy issues facing businesses.

1. What is privacy-by-design and why is it so important for businesses?  

Privacy-by-design is the approach of factoring in data legislation requirements at the design stage of new systems that will contain personal information. Essentially, developing products that are fit to hold data securely, from the beginning until the end of life.

This will be the cornerstone of the GDPR when it is implemented in 2018. The new legislation makes it clear that if you are a controller or processor of personal information, you are responsible for the protection of that information. Whilst privacy-by-design will be compulsory for businesses, its important to remember that considering privacy at the inception stage is much easier than dealing with it retroactively.

2. What does the UK’s decision to leave the EU mean for data sovereignty?

The most significant issue is that, most likely, we will no longer benefit from sharing the same laws with the EU, specifically the GDPR. As we have seen with the US, this brings significant complications and businesses that handle the data of EU citizens will have to keep a close eye on where that processing is happening. If they are transferring the information to the UK, they will have to consider the requirements for transferring data to a non-member state.

3. With the impending Brexit, do UK businesses still need to prepare for the GDPR?

Yes, if I have one bit of advice for UK businesses it is to continue preparing for the GDPR. Even if the UK triggered article 50 today, the GDPR will be enforceable in May 2018, which is well before we would leave the EU. In order to remain a close trading partner to Europe following Brexit, the UK will need to adopt a similar framework to the GDPR to protect EU citizens’ data.

By replicating the GDPR, the UK could aim to obtain a ‘finding of adequacy’ from the European Commission, which means that UK data laws are classed as an equivalent to the EU data regulations. The easiest way to achieve this is to largely replicate the GDPR under UK legislation, so any compliance efforts are not wasted.

It should be noted that If we fail to achieve a finding of adequacy (and proposed legislation like the Snoopers Charter could easily put such a finding at risk), then transferring data from the EU to the UK will become a significantly complex challenge for UK businesses.

4. What should businesses consider when transferring data to the US?

Firstly, businesses should question whether there is a legitimate reason to host their data in the US. This is not a mandatory consideration but common sense dictates that if the answer is no, they should consider hosting it in the EU, or another country with a ‘finding of adequacy’ agreement to keep things more straight forward.

If the data has to be hosted in the US, for example the company may have a workforce out there that needs to access it, then they should check that the correct protections are in place. Businesses should question whether there are subcontractors accessing the data, and if so, do they have contractual agreements in place? This should be approached in a similar way to privacy-by-design. Always ask if the system is designed for privacy and protection in the first place.

5. What is the difference between data sovereignty and data privacy?

If I had a pound for every time I’ve these terms misused! Data sovereignty is about where certain data is held, the laws that apply to it, and which governments and law enforcement agencies can claim jurisdiction over it. It is also used to describe legislative attempts by governments trying to ensure that certain data remains within their borders.

Data privacy, on the other hand, applies to the basic data protection principles and rights, such as consent, ensuring data is accurate, up to date and only used for its specified purpose, or rights of access and deletion. Businesses need to consider both, as they work in tandem.

6. What does the future hold for the data protection industry?

Data is growing at an exponential rate, and companies need to utilise and analyse it more than ever to be successful. For the industry, there is a huge amount of potential as the demand for individuals with experience and expertise in data security and protection continues to grow. Businesses will have to think differently about how they manage data they collect over the coming years, as data protection standards are continuing to increase. 

7. What are the biggest challenges that data legislators currently face?

The issue of data transfer from the EU to the US is one of the main challenges for legislators. They have to strike a balance between the standards expected of the EU, but enforcement is also going to be a big issue because there is so much uncertainty in the market at the moment.

When the Safe Harbour agreement was abolished last year we were left with very few sensible options in terms of legal transfers. The available laws were not designed with the type data transfer that we see today in mind. Regulators need to work with industries to really understand data transfer needs and requirements.

They need to establish common principles that apply to developing technologies that are out there. The technology sector is extremely fast paced and legislation needs to keep up.

Image source: Shutterstock/Maksim Kabakou