By Bruce Penson, Managing Director of Pro Drive IT
Since the result of the 2016 EU referendum, businesses across the country have been following the twists and turns of the Brexit negotiations, waiting nervously for the outcome.
Whilst all of this has been going on, a certain General Data Protection Regulation (GDPR) also came into force last year, throwing yet another spanner in the works.
Will data remain unrestricted?
The sharing of personal data between the UK and other EU member states is vital for business — particularly for accountants, financial services and other companies which require masses of data to function.
Herein lies the key issue. At the moment, data can flow freely (so long as companies conform to the stringent regulations, of course) because the UK is still part of the EU. But what happens when we leave?
If the proposed EU withdrawal agreement is approved, data will continue to flow until 2020 while a more long-term solution is worked out. And as the GDPR is being incorporated into UK law, there should be no real change after Brexit — as long as we leave with a deal, that is.
Since Boris Johnson took the reins though, a no-deal outcome is looking increasingly likely. In this case, the UK would be deemed an external country, meaning we would need what is called an adequacy ruling to demonstrate that our data protection standards are up to scratch. The European Commission has already made it clear this would not happen in a hurry, making restricted data flow a real possibility.
Which way is your data going?
So, with deadline day looming, how worried should companies be about handling data in the event of a no-deal Brexit? Well, that very much depends on your business circumstances.
If you are a UK business which already complies with the GDPR and you have no contacts or customers in the EEA (the EU plus Iceland, Norway and Liechtenstein), then you won’t need to do much to maintain compliance after Brexit. Chances are you’ll barely even feel the effects when it comes to data. However, if you receive data from or operate in the EEA, you will need to take action now.
The main question for businesses to ask around the flow of personal data is this: which direction is my data going in? Sending data to the EEA will supposedly be no problem because the UK government has decided it is happy with European standards. But transfers of personal data from the EEA to the UK will be affected.
What do you need to do?
Government advice on this topic hasn’t exactly been straightforward, so let’s try to break it down. If you are a UK business that receives data from contacts in the EEA, you will need to take action with the sender to ensure data can continue to flow freely. In the vast majority of cases, this is best done by putting Standard Contractual Clauses (SCCs) in place between you and the sender on EU-approved terms.
Right now, we can hear dozens of SMEs gulping at that, but don’t worry — it’s not as scary as it sounds. SCCs are essentially just contracts, and this handy interactive tool from the Information Commissioner’s Office shows you how to craft one.
If you have offices or supply services to customers in the EEA, things get a little more complicated. You will need to comply with the UK data protection regime for all UK activities, but your European operations will be covered by EU law — even after Brexit.
As such, you will need to check which European data protection regulator will be your “lead supervisory authority” and, in most cases, you will also need to appoint a suitable representative in the EEA.
How can Pro Drive help?
Whilst we doubt the data regulators will be rushing to punish SMEs which fail to get the right contracts in place straight away, don’t be fooled into thinking you can ignore the problem. If you fail to act, your organisation may lose access to the personal data it needs to operate.
So, no matter what your business circumstances, it’s a good idea to review your privacy information and documentation to identify any minor changes that need to be made after Brexit.
You are also more likely to run into issues with a no-deal Brexit if your business uses multiple platforms to store data. Carrying out full audits is, therefore, vital to see where your data is and to map out data flows (you should be doing this anyway for GDPR compliance, but it’s best to get into the habit of doing this regularly).As part of the IASME certification against the government’s Cyber Essentials Scheme, Pro Drive can put together a data map that shows where all your data is and where it’s going — so you can take the suitable course of action.