Data is of vital importance to the UK. Last year, CBI’s Josh Hardie spoke about how data is responsible for £240bn of economic activity in the UK. He also warned of the threat from Brexit – 10 per cent of the world’s data flows through the UK, and 75 per cent of these are data transfers between the UK and the EU.
This article explores the importance of understanding the significance of being data adequate – or not – in a post- Brexit landscape, regardless of the exact ‘type’ of Brexit outcome. The potential impact is so great that the Government has even produced guidance in case the UK leaves the European Union in March 2019 with a no-deal scenario.
What happens to GDPR after Brexit?
The following is taken directly from Government guidance as of September 2018: “If the UK leaves the EU in March 2019 with no agreement in place regarding future arrangements for data protection, there would be no immediate change in the UK’s own data protection standards. This is because the Data Protection Act 2018 would remain in place and the EU Withdrawal Act would incorporate the GDPR into UK law to sit alongside it.”
This provides reassurance that work carried out to comply to GDPR standards has not been a waste of time and UK organisations will still be able to send their data freely to the EU without changes. But for EU data to flow in the other direction, from the EU into the UK, the EU advises that we would need to become a “third country” and apply for adequacy status. This status is granted to countries whose privacy legislation is at least as robust as GDPR, and these are the only countries outside the EEA where EU citizens’ data is permitted to travel to. Currently, only 11 countries are considered fully adequate, or “secure third countries,” including Argentina, Guernsey, Jersey, Israel and Switzerland, with Japan set to join these few.
The UK is not on this list. This may require organisations that are keeping EU citizens’ data in the UK to carry out additional work to comply with EU regulations. So, how do the requirements vary with a deal or no-deal Brexit?
- Deal Brexit
There will be a 21-month implementation period where existing legislation will remain binding. There would be no requirement for adequacy status during this time, allowing organisations time to comply with any new regulations.
- No-deal Brexit
We would instantly become a third country; meaning any data held on EU citizens in the UK is potentially illegal.
What you need to know about third countries and data adequacy
There is little argument that the depth of privacy legislation in the UK entitles it to third country adequacy status, and indeed the UK government is currently arguing potentially an enhanced “adequacy plus” status that is more reflective of the breadth and depth of the UK-EU relationship (though this is being resisted by the EU). So why worry?
- Regardless of the quality of privacy legislation in place, it takes time to reach adequacy status. Japan took two years to achieve this so the UK is unlikely to achieve this by March 2019.
- The process to declare a country adequate cannot be started until the UK becomes a third country, meaning the clock has not even started yet.
- In the event of a no-deal Brexit and until the UK is deemed adequate, you may be holding EU citizens’ data illegally.
So, what should you do next?
In the past you may have had a deliberate policy to opt for UK-centric cloud service providers to ensure compliance. Clearly, post-Brexit, this diligence is undermined. So what are your options, regardless of whether we reach a deal or no-deal Brexit?
- Standard Contractual clauses
You may only transfer EU citizens’ data to non-adequate countries outside the EU if there are contractual clauses in place with your cloud provider that guarantee their practices will uphold privacy standards required by the European Commission. Some businesses will have already put these in place with their providers to allow EU citizens’ data to be held in their providers’ datacentres outside the EU, particularly in the US. But for many businesses who have until now been holding their data solely within the UK, EU or adequate states, this would not have been necessary, creating a new extra requirement. While these clauses are not difficult to insert into contracts, it is an administrative burden and one that cannot be ignored – plus some smaller providers may not be willing to commit to them.
The use and presence of standard contractual clauses however may not be enough for some companies. Some want absolute certainty of their compliance. A contractual clause and requirement is not the same as a technical impossibility, and so many will prefer to seek out cloud service providers who can offer data residency guarantees and supportive workflows.
The Brexit situation has highlighted the issues around data residency and privacy but none of this should be a surprise. The truth is, data privacy and residency should be considered at every stage of IT infrastructure decisions, regardless of Brexit. Building an IT infrastructure that allows data to be shared from one end of the globe to another, without delay or disruption, is not easy. Doing so while managing the pertinent data jurisdiction laws is beyond complicated, and beyond the skills of most IT teams. This makes it imperative for cloud service providers to provide that crucial consultancy and guidance – something that is only really possible for those with a strong heritage in data residency and privacy. Maybe now should be the time for the cloud industry to catch up.
Sophie Chase-Borthwick, Director of Privacy Services and Data Ethics, Calligo
Image source: Shutterstock/JMiks