As we all know, the UK has left the EU – but after the 31st of January 2021, the transition period will be over and EU law will no longer apply to the UK. This will have implications for a range of sectors, but for now we’d like to talk about what it will mean for data protection. In 2021 it will be essential that you know exactly where your company’s data is stored, where your customer’s data is stored, and where exactly your organisation is receiving data from.
There are of course actions underway that may enable UK organisations to continue to operate as they have been with regards to data. But we’re here to tell you about some of the factors you will need to consider as a business once the UK has left EU law.
Mitigating Risk
Domestic data law is expected to remain largely unchanged. Therefore, it is organisations who have dealings with EU-based customers who will need to look at how they handle data after Brexit. There are a number of things that can be done to mitigate any potential risks posed by being outside of the EU’s data regulations.
The way in which you mitigate these risks are dependent, on the nature of your business – e.g. where you are based, who are your customers & where are they based? Those most urgently in need to conform address their data infrastructure are those who exchange and receive data, for example Financial organisations, who may have European counterparts. The flow of data will be subject to EU regulation.
Data residency
Another consideration is the location of your Cloud hosting – where your data is hosted is more important that where your organisation is based. For example, an organisation based in Hong Kong whose data is hosted in UK must abide by UK data legislation.
If your organisation’s data resides in the UK, then most likely you will not need to drastically change your Cloud strategy or data protocols. Therefore, it would be best as an organisation to check your data residency. Some Cloud providers may in fact host your data in an EU member state.
The data hosting method we favour is Azure – the world’s largest cloud provider, ‘with more global regions than any other cloud provider’. Most Azure services enable users to specify in what region their customers’ data will be stored, and Microsoft will never replicate customer data to a region which you have not specified.
Specific data locations for Microsoft 365 customers can be found here.
Data Adequacy
In the case of UK-based organisations who have EU-based customers, one of two options will apply: firstly, UK-based organisations will be required to have Standard Contractual Clauses (SCCs) in place in order to legally exchange data with EU counterparts; OR UK-based organisations will be granted free movement of data. For the latter to happen, the UK will need to be granted Data adequacy.
Data adequacy is a status that is granted by the European Commission to countries outside of the European Economic Area (EEA) – such countries must prove that they have a level of personal data protection that is equal to that of European Law. Countries with Data Adequacy have free movement of data between themselves and the EU. This status may also be granted to specific sectors, or even international organisations.
Currently, the European Union is undertaking a data adequacy assessment of the UK; and if the UK is granted this status, organisations based here will be able to exchange data with EU-based organisations freely.
GDPR
The General Data Protection Regulation in EU Law will cease to apply to the UK after the 31st of January 2021.
However, the United Kingdom General Data Protection Regulation (UK-GDPR) took effect on the 31st of January, 2020 and was modelled after the EU’s; and just as the UK’s Data Protection Act of 2018 was meant to be read in conjunction with the EU’s GDPR, it will now be read in conjunction with the new UK-GDPR. What this means is that UK-based organisations will have the same compliance obligations outside of the EU as they did when the UK was still a member state.
Once the UK has left the transition period, UK data law will no longer be enforced and supervised by the EU, but instead by the Information Commissioner’s Office.
As you can see, there are a lot of things to take into consideration when it comes to your data but we’re still waiting to see what talks around these regulations decide. If you are concerned about where your data is and what to do with it before the end of the year, TechQuarters will be hosting a Webinar on the Thursday 5th, November on just this topic. If you wish to attend the Webinar, and learn more about how Brexit will alter the data requirements of UK-based organisations, you can register for it here.
