How will Brexit affect your business data?
With Brexit in the headlines pretty much every day at the moment one thing many businesses will not have given much thought to is likely to be data protection.
Data protection is based on two principles. The first is to protect privacy when using someone’s personal data. The second is to allow and maintain the free flow of personal data (just like goods and services) across European boarders so that it does not hinder trade.
The question is, how will Brexit affect business without the free flow of personal data and what does that mean to your business? (Assuming you trade with mainland Europe)
It’s a good question and one that we do not have a firm answer to, however, if I was a betting man I’d suggest we’re in for more of a bumpy ride and this is why.
Any country classed as a third country (a country not part of the EEA or approved countries with an adequacy decision) has to either trade with:
- Standard model contract clauses in place between UK importers and EU exporters other organisations
- Have binding corporate rules in place for the free flow of data internally to their organisation in other countries
- Have a self-certification scheme and codes of conduct approved by the EU, something similar to the EU-US Privacy shield
- Have an adequacy ruling in place
All of the above are possible, Option 1 and 2 can be expensive, inflexible and absolutely have to be adhered to (as one would imagine). One thing is for sure, mainland Europe have always been a lot stricter where Data Protection compliance is concerned in the past, signing up to contractual obligations and not delivering against them isn’t really an option.
Option 3 is going to interesting in itself. As we leave the EU the provision we have in place for lawful data transfers under the privacy shield to US will cease and another mechanism will need to be found. Think through the SaaS services you have and how they will be affected, in particular CRM systems or content managers.
Having this type of mechanism in place is useful, however, if like the EU-US shield it is not without its challenges and the scheme can be time consuming and expensive for smaller organisations to achieve.
Option 4, the preferred option all round but one that (as it stands) I do not think the UK will achieve. The UK will have to seek this adequacy ruling from the EU. Their stance to date on negotiations has been fairly tough, so why think when it comes to data it will be any different.
This is further supported by:
At least 4 serious departures for the previous directive have not been resolved, one of which is to strengthen power of the law enforcement agencies around their use or/and access to personal data.
Michel Barnier (Chief EU negotiator) stated (on the 24th May) that adequacy would be problematic for the EU. If we bear in mind the UK will be outside European Court of Justice Rulings:
- Who would launch an infringement against the UK in the case of misapplication of the GDPR?
- Who would ensure that the UK would update legislation every time the EU updates GDPR?
- How can we ensure the uniform interpretation of the rules on data protection on both sides of the Channel?
When Elizabeth Denham (Information Commissioner) was pressed several times on the possibility of the UK getting an adequacy decision she went from trying to evade the question to finally conceding
“I think if the Government decided to go down that route to get an assessment of adequacy, that is the right way to go. There will be some challenges, especially related to our national security agencies and bulk collection and retention of data”.
With all those points together, there isn’t much (in my opinion) that is looking positive for the UK to get the adequacy ruling. What will you and your business do if that’s the case?
If you want to find out more about this or how your business can get to grips with its data protection obligations, please get in touch jgobran@i-Secured.co.uk