BREXIT in your backyard – Is your data Adequate?

Five weeks from now we will be preparing to start the business week (Brexit) having left the European Union or gone into political meltdown (if any more of that was possible).

With the “No Deal “scenario still on the table, we will have all our wishes come true, lorries stuck at boarders, planes diverted around the EEAs (European Economic Area’s) foodstuffs rotting in warehouses and wholesale panic and mass hording of everyday commodities, – or some sort of “deal”.

Alongside this vision of modern Armageddon will be the difficulties of moving data to and from the UK, and not only to Europe, but to other counties as well such an Australia and Canada.

“How So” I hear you all cry, “I spent my money on consultants and got the tick in my GDPR (General Data Protection Rules) compliancy box – I’m OK”.

Well before you settle back in your chair and order another post Brexit baguette you may want to note this word “adequacy” in all the Brexit cuffuffle and review the information that has been streaming out of offices such as the ICO recently, telling us to make checks and be ready for the no deal Brexit day.

Why is this a problem?

Although the UK government has said it is ready to start talks over an “adequacy” decision, Brussels’ chief negotiator Michel Barnier has repeatedly said an adequacy decision cannot be taken until the UK has formally left the EU – and these assessments can take up to two years to formalise.

Simply put, the EU’s adequacy assessment reviews whether a country has the same standards of data protection as the EU, and in the UK’s case, we signed up and implemented a European wide GDPR framework based on the UK’s Data Protection Act 2018, not a European one. So, Europe have to decide if we make the grade, and its their sole decision.

Margot James, the UK’s Minister of Digital and the Creative Industries is on record at a House of Commons European Committee of stating that she is “optimistic” that any decision would not require the usual length of time – and lets face it, all negotiations on Brexit have been expediently conducted and are going swimmingly well so far…so who’s to doubt her optimism?

On the other side of the channel however according to Politico, a Brussels based paper, “ministers were briefed on these risks before the summer recess and a note circulated to politicians warned of “substantial disruption” and “significant legal costs” for businesses without a Brexit deal on the transfer of data. – (source The Register)

Furthermore, It goes on to report “The UK’s new 2018 Data Protection Act could also cause problems as a report from the Joint Committee on Human Rights questioned whether the Act “offers protection that is equivalent to Article 8” of the Charter of Fundamental Rights (CFR). The Act also waives data protection rights in areas relating to immigration control, again in apparent contravention of EU fundamental rights protections, as the Home Affairs Committee pointed out in March 2018.

The onward transfer of data from the UK to close security partners such as the USA, Australia or Canada is another contentious area. The EU is unlikely to declare the UK adequate if there is a risk that personal data from the EEA could be passed on to countries which do not themselves offer an adequate level of protection.”

What does this mean for you? –  well it means don’t just sit back.

The ICO has good advice for companies and individuals that send, receive and store data that might have a European origin and have a six-step checklist to follow which can be found here:

These steps are:

  1. Continue to comply by following GDPR standards and follow current ICO guidance.
  2. Review your data flows to the UK from the EEA.
  3. Review your data flows from the UK any country outside the UK, as these will fall under new UK transfer and documentation provisions.
  4. If you operate across Europe, review your structure, processing operations and data flows.
  5. Review your privacy information and internal documentation to identify any details that will need updating.
  6. Make sure key people in your organisation are aware of these key issues.

On a practical note, steps 5 and 6 seem a good place to start and whilst many thought GDPR was a one off exercise, this brings back into sharp focus that it is a continual process and like your vehicles MOT certificate, even though you have the certificate, you can be prosecuted if you fail to keep your vehicle roadworthy, or your data protected at any time.

The striking fact is, in our normal course of business, Vissensa sees time and time again where GDPR has been considered a single exercise and the company concerned has dropped out of being compliant through the ignorance of understanding their continued collection, storage and use of data.

The ICO also recommends:

You should read this guidance if you are a business or organisation based in the UK and the GDPR or Part 3 of the Data Protection Act 2018 currently applies to your processing of personal data.

In the Brexit maelstrom that exists, it seems like this little reported but hugely significant barrier is being overlooked by most commentators who are probably avoiding the technicalities of the problem, leaving the messaging to correspondents such as Rory Cellan-Jones (@BBCRoryCJ) – Technology correspondent for the BBC to raise the issue into the mainstream again as recently as January 2019 in which in his piece he asks in his words:-

“Two Urgent questions” – “does your business move data across borders and if so are you prepared for what could happen if the UK leaves the EU at the end of March without a deal?”

He quotes that “The Direct Marketing Association (DMA), which represents a whole raft of data businesses, says any company that moves data between the UK and an EU country needs to be aware of what will change if we effectively sign out of the General Data Protection Regulation (GDPR), Europe’s data protection regime. – And in the meantime, the DMA says, there would be severe uncertainty that “could potentially bring EU-to-UK data flows to a halt”.

He goes on to report that the DMA chief executive Chris Combemale says, “large companies are prepared and will take things in their stride but the administrative burden on smaller businesses could be quite onerous.”

Read Rory’s full article here:

How can we be prepared?

In the event of a deal or no deal, data privacy laws will be in sharp focus in legal firms across Europe and ready to pounce on firms that have err’d in the new post Brexit world.

Therefore, any company, but particularly SME’s who operate e-commerce platforms available to European citizens should seek to get a “EU-approved standard contractual clause” written. This is single data specific contractual agreement for the company to send and receive data from the EU while any overarching adequacy deal is agreed.

Finally, if you want to delve further into this topic, read my Post Brexit blog “Data in a Post Brexit world” written just after the vote two years ago and before all the shenanigans over the last two years. Having re-read it myself,  I’m not sure if I had a crystal ball at the time or I was just as our strapline at Vissensa says: “Forward Thinking”.

Find the article here: