A deal? Not a data deal
By Steve Sullivan, Head of Regulatory Compliance
So, at the last minute and just in time for Christmas, the EU and UK agreed a post-transition Brexit trade deal. If you read our article published just a few days before Boris and Ursula settled their fish-based disputes, then you would hope that the deal included the vital EU ‘adequacy’ ruling on UK personal data protection rules. Unfortunately, this was not the case.
The parties have agreed a 4-to-6-month extension to the current arrangements, so personal data can continue to flow between the UK and the EU, but that looks like the final extension.
What does ‘Processing Personal Data’ really mean?
It is a broad definition. ‘Personal data’ is essentially anything that can be used to identify a real, living person and ‘Processing’ covers just about any activity that involves that data. It is not just for the use of communications e.g. making calls, sending emails and messaging on social channels, but analyse, segmentation and even simple data back-up on storage can count as processing.
Implications of a no adequacy ruling
If the EU does not give the UK an ‘adequacy ruling’ then, as stated by the government, the implications for data handling are that UK data being passed to Europe will be covered by existing laws, but if EU data is sent to the UK, it could contravene data privacy regulations. For pan-European operations, this will pose serious new risks.
If the UK’s rules are not considered adequate by the EU, then a raft of new contractual arrangements using Standard Contractual Clauses (SCCs) will be required. According to a report from the New Economics Foundation and UCL European Institute ‘The Cost of Inadequacy’, “the aggregate cost to UK firms would likely be between £1 billion and £1.6 billion”. Most of which would be the cost of commercial legal work to implement the necessary SCCs.
Are you feeling lucky?
So, should you start to worry about this now and give your lawyers a call?
You may well imagine that as the UK uses the EU-wide General Data Protection Regulation (GDPR) as the basis for its data protection rules and the 2018 Data Protection Act, then the European Commission would have no alternative than to grant the UK an ‘adequacy’ ruling. But that is not the case. A large number of data privacy professionals and data right groups argue that the UK does not reflect EU standards in its collection and processing of personal data, especially in the areas of national security and data sharing with other friendly states, so shouldn’t be granted ‘adequacy’. It is worth noting that the European Commission has so far ruled only a small number of countries’ personal data protection to be adequate (Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay).
Do not forget the Privacy Shield
In the meantime, if you have clients in the USA or use technology solutions with data centres in the US, there is something else you need to pay attention to. Since 2016 an arrangement agreed between the US government and the EU called the ‘Privacy Shield’ provided a framework for US and EU companies to compliantly transfer personal data across the Atlantic. Last summer the Privacy Shield collapsed when the European Court of Justice ruled it invalid over concerns that US corporations are subject to making personal data available to US Government agencies.
This may seem like old news, but many organisations are only just waking up to the implications of it. For most companies, there is a solution that will allow appropriate personal data transfers to continue, but unfortunately, once again that is likely to be reliant on Standard Contractual Clauses, lawyers and considerable expense.
What to do?
To manage your risks there are two key pieces of advice we can give to all businesses who use private data in any way, whether for outbound sales, customer service or sales order processing:
- Minimise the amount of data you store per contact. The less data you store, the less likely it is to get you in trouble. Avoid storing risky data such as payment details unless absolutely necessary to your business model.
- Minimise the places you hold data. If your data is stored and processed in only one location, the amount of regulation is minimised. Also, the lower number of transfers your data has to undergo, the lower the risk of breaches of privacy, or indeed of your business inadvertently falling foul of the regulations in one region or another.
As a last consideration, check all your IT service providers. Do you really know where your call recordings and network data backups are stored? Identifying where your data is held is essential. If hosted in the cloud then find out where the data servers are located and if your technology provider is unable to provide this information, then your business could be at risk and alternatives should be considered.
If you are unsure how to assess your risks and responsibilities now the UK has left the EU, get in touch. We can advise you about the risks you need to consider and potential ways to mitigate them.
