Preparing for a post Brexit world...the implications on data usage
By Steve Sullivan, Head of Regulatory Compliance
As we head towards the end of December 2020, it is looking increasingly likely that Britain will leave the EU without a deal, or with an “Australia type deal” as described in some parts of the press. Although GDPR has been passed into UK law in the Data Protection Act 2018, leaving the EU without a deal will have some significant implications for how the rules around data privacy will apply in the UK in 2021.
The UK Government’s current stance is that ‘The EU is conducting a data adequacy assessment of the UK. If the EU grants positive adequacy decisions by 1 January 2021, it would mean that personal data can flow freely from the EU/EEA to the UK, as it does now, without any action by organisations.’
However, if we leave without a deal and the EU hasn’t given us an “adequacy ruling” then, as stated by the government, the implications for data handling are that UK data being passed to Europe will be covered by existing laws, but if EU data is sent to the UK, it could contravene data privacy regulations. For pan-European operations, this might pose serious new risks.
What is the UK’s data privacy situation as we leave the EU?
If the UK’s rules aren’t considered adequate by the EU, then a raft of new contractual arrangements using Standard Contractual Clauses (SCCs) will be required. This is according to a report from the New Economics Foundation and UCL European Institute ‘The Cost of Inadequacy’. The report estimates “The aggregate cost to UK firms would likely be between £1 billion and £1.6 billion.”, most of which would be the cost of commercial legal work to implement the necessary SCCs.
Add to this, the arrangement between the US and EU called the ‘Privacy Shield’ which was struck down by the EU over concerns that US corporations are subject to making data available to US Government agencies, which the EU considers a data risk. This creates additional implications for data sharing wider than the EU and UK in the western hemisphere.
How can you prepare to be Data Privacy compliant?
The EU has released some draft Standard Contractual Clauses which data controllers and processors can use to remain compliant in 2021 and beyond. Already, several commercial law firms are preparing advice which data owners can use to assess their position with respect to data from the UK, EU and other countries including the US. This may come at a price, so here is a very summary of the impacts that we expect to see:
If you have UK data which you store and process in the UK, your operations are not likely to be affected in the short term, as long as they are already compliant.
If you have UK data which is stored or processed in the EU, you are also not likely to be significantly affected in the short term. The EU’s rules should be enough to protect you against the most likely risks.
If you have EU data which you store and/or process in the UK, you should review your risks and the new SSCs may be needed to assure your compliance. This will apply if you use many nearshore outsourced customer service or data processing teams.
If you are a global operation with data from different regions which is transferred across borders, your situation may be complex and will need looking at carefully.
What is best practise in tomorrow’s data handling world?
To manage your risks there are two key pieces of advice we can give to all businesses who use private data in any way, whether for outbound sales, customer service or sales order processing:
- Minimise the amount of data you store per contact. The less data you store, the less likely it is to get you in trouble. Avoid storing risky data such as payment details unless absolutely necessary to your business model.
- Minimise the places you hold data. If your data is stored and processed in only one location, the amount of regulation is minimised. Also, the lower number of transfers your data has to undergo, the lower the risk of breaches of privacy, or indeed of your business inadvertently falling foul of the regulations in one region or another.
As a last consideration, check all your IT service providers. Do you really know where your call recordings and network data backups are stored? Identifying where your data is held is essential. If hosted in the cloud then find out where the data servers are located and if your technology provider is unable to provide this information, then your business could be at risk and alternatives should be considered.
If you’re unsure how to assess your risks and prepare for your future once the UK leaves the EU, get in touch. We can advise you about the risks you need to consider and potential ways to mitigate them.