Britain is about to leave the EU and many important legislative loose ends remain untied. But for the tech industry, one major problem is looming.
After Brexit, the UK will become a “third country” meaning that personal data cannot be easily transferred between Britain and Europe. If this issue is not solved, it could harm British tech businesses and put them at a major disadvantage against competitors on the Continent.
Although the EU is currently conducting a “data adequacy” assessment of the UK, there is no sign this survey will be complete by the time we leave the EU, meaning that British firms may have problems sharing data with their European counterparts. This could cause many challenges and, currently, there are no easy answers about what might happen if politicians don’t strike a deal and stave off the data disaster.
We spoke to leading experts in data protection to find out what could happen if the problem is not addressed as well as their recommended survival tips to allow businesses, organizations or individuals to prepare:
Matt Lock, Technical Director at Varonis
Data privacy standards are constantly evolving, and businesses should stay on top of the latest developments and demonstrate agility when it comes to preparing for changes. For example, organizations must ensure there are strict protections around unstructured data. However, the sheer amount of unstructured and stale data that companies possess can present a huge challenge from both a security standpoint as well as a data protection one too. It’s imperative to understand what data is being accessed, who can access it, and who is actually accessing it.
Post-Brexit we will likely see a large uptick in Binding Corporate Rules (BCRs), a legal framework that allows business within the EU to share data with non-European based firms. If data is moving to and from a European based company to a UK company and vice versa – the correct data protection controls and legal frameworks must be in place.
Without a so-called ‘adequacy decision’ from the EU by the end of the year, companies may see themselves thrown into legal limbo and no longer have the ability to share data. With only a matter of weeks to go until Brexit, there are still many questions that need to be answered. Will companies be in limbo in 2021 in terms of transferring data safely across the English Channel? How will restrictions to the free flow of information impact business operations? What should be on an organization’s checklist to ensure ‘business as usual’?
It’s worth noting that the GDPR was enshrined in UK law under the Data Protection Act 2018 so we have local laws that protect our data as UK citizens.
Darren Wray, CTO at Guardum
The impact on firms will very much depend on the volume and type of data that they are transferring to and from the European Economic Area (EAA) presently. The concern of the GDPR is personal data; this means that if an organization’s HR department is presently in the UK and they have staff in EU countries such as France or Germany, then steps will need to be taken to allow the transfer and processing of the EU staff's data in the UK.
The changes in this example are likely to take the form of the implementation of Standard Contractual Clauses (SCCs) between the UK and EU entities or potentially changes in contracts of employment to allow the processing of personal data in a what will be a 3rd country. Of course, this is not the only scenario, and some, where customer data is transferred between the UK may require other approaches. In some extreme cases, companies may decide that moving a business function to the EU may be the better option than trying to achieve data compliance.
There are several things that businesses should be looking at right now; these are:
Understanding Data Flows - Knowing what data is transferred between customers, vendors, and countries is a vital part of this new world. Where personal information is flowing between countries, questions should be asked around whether the data needs to continue flowing, or if it needs to be redacted using auto-redaction software.
Vendor Relationships - Relationships with vendors and suppliers will often require the exchange of information. If this includes personal information then changes may be required to agreements to include SCCs to allow the continuation of such data flows.
Client Relationships - Where your clients are based in the EEA, you may have to change your contracts or terms of service to indicate that personal data is being processed in the UK.
Intercompany Data Exchange - Presently personal information likely flows freely between different parts of the organization; this is something that will probably need to be updated depending on where people are based geographically, again look at ways of reducing the personal information that is moving around by using auto-redaction tools.
Joseph Carson, Chief Security Scientist at Thycotic
2021 will be the year of Brexit as the transition period ends and will no doubt replace Covid as the main media narrative. However, one aspect of Brexit which is often overlooked is data sovereignty and with whispers of a no-deal on trade, this will ultimately mean a no deal on data.
The UK may well create its own equivalent version of the GDPR, but there will be no agreements in place with the EU or elsewhere. If Brexit progresses with no deal and without the UK’s ‘data adequacy’ status being agreed, every company in the UK that relies on processing data from overseas will potentially need their own framework for transferring and handling data. For smaller companies that don’t have binding legal agreements, this is expected to be a costly and time-consuming process. As a result, we will likely see more data being stored locally.
Ultimately data protection will evolve into Data Rights Management. It will become more about how the personal data will be used, and what monetarization is resulting from the data.
Darren Wray, CTO, Guardum
Matt Lock, Technical Director, Varonis
Joseph Carson, Chief Security Scientist, Thycotic