Data is of vital importance to the UK. Last year, CBI’s Josh Hardie spoke about how data is responsible for £240bn of economic activity in the UK. He also warned of the threat from Brexit – 10% of the world’s data flows through the UK, and 75% of these are data transfers between the UK and the EU.
This article explores the importance of understanding the significance of being data adequate – or not – in a post- Brexit landscape, regardless of the exact ‘type’ of Brexit outcome. The potential impact is so great that the Government has even produced guidance in case the UK leaves the European Union in March 2019 with a no-deal scenario.
What happens to GDPR after Brexit?
The following is taken directly from Government guidance as of September 2018: “If the UK leaves the EU in March 2019 with no agreement in place regarding future arrangements for data protection, there would be no immediate change in the UK’s own data protection standards. This is because the Data Protection Act 2018 would remain in place and the EU Withdrawal Act would incorporate the GDPR into UK law to sit alongside it.”
This provides reassurance that work carried out to comply to GDPR standards has not been a waste of time and UK organisations will still be able to send their data freely to the EU without changes. But for EU data to flow in the other direction, from the EU into the UK, the EU advises that we would need to become a “third country” and apply for adequacy status. This status is granted to countries whose privacy legislation is at least as robust as GDPR, and these are the only countries outside the EEA where EU citizens’ data is permitted to travel to. Currently, only 11 countries are considered fully adequate, or “secure third countries,” including Argentina, Guernsey, Jersey, Israel and Switzerland, with Japan set to join these few.
What you need to know about third countries and data adequacy
There is little argument that the depth of privacy legislation in the UK entitles it to third country adequacy status. Indeed, the UK government is currently arguing for an enhanced “adequacy plus” status that is more reflective of the breadth and depth of the UK-EU relationship (though this is being resisted by the EU). So why worry?
The process to declare a country adequate cannot be started until the UK becomes a third country, meaning the clock cannot even start until March 2019.
Regardless of the quality of privacy legislation in place, it takes time to reach adequacy status. For example, Japan took two years to achieve this.
Doesn’t this mean that post-Brexit, holding EU citizens’ data in the UK is illegal, and probably will remain so for about two years? Not quite. It depends on the nature of our exit from Europe:
There will be a 21-month implementation period where existing legislation will remain binding, meaning adequacy status would not be immediately necessary. These 21 months allow the UK to secure adequacy in the meantime, or if this is found to be in doubt, it allows organisations to make alternative arrangements with their data.
We would instantly become a third country; meaning any data held on EU citizens in the UK is potentially illegal.
So, what should you do next?
In the past you may have had a deliberate policy to opt for UK-centric cloud service providers to ensure compliance with GDPR. Clearly, post-Brexit, this diligence is undermined. So what are your options, regardless of whether we reach a deal or no-deal Brexit?
Standard Contractual clauses
You may only transfer EU citizens’ data to non-adequate countries outside the EU if there are contractual clauses in place with your cloud provider that guarantee their practices will uphold privacy standards required by the European Commission.
Some businesses will have already put these in place with their providers to allow EU citizens’ data to be held in their providers’ datacentres outside the EU, particularly in the US.
But for many businesses who have until now been holding their data solely within the UK, EU or adequate states, this would not have been necessary, creating a new extra requirement. While these clauses are not difficult to insert into contracts, it is an administrative burden and one that cannot be ignored – plus some smaller providers may not be willing to commit to them.
The use and presence of standard contractual clauses however may not be enough for some companies. Some want absolute certainty of their compliance. A contractual clause and requirement is not the same as a technical impossibility, and so many will prefer to seek out cloud service providers who can offer data residency guarantees and supportive workflows.
The Brexit situation has highlighted the issues around data residency and privacy but none of this should be a surprise. The truth is, data privacy and residency should be considered at every stage of IT infrastructure decisions, regardless of Brexit. Building an IT infrastructure that allows data to be shared from one end of the globe to another, without delay or disruption, is not easy. Doing so while managing the pertinent data jurisdiction laws is beyond complicated, and beyond the skills of most IT teams.
This makes it imperative for cloud service providers to provide that crucial consultancy and guidance – something that is only really possible for those with a strong heritage in data residency and privacy. Maybe now should be the time for the cloud industry to catch up.