Generally I don't like to write about brexit because of the emotional attachments that some people have to it; and the fact that it is almost impossible to find stock imagery which doesn't sway to either side of the debate.
But, as we near the eventual date of departure it seems prudent to be aware of what may come - particularly in the case of a unmanaged departure, often known as no-deal Brexit, and the GDPR (General Data Protection Regulation).
Note. it is important to remember that this is a fluid and changing situation, while the content of this blog has been written based on the information available at the time. It may not be applicable based on changes in the political outcome of Brexit.
In September 2019, the Government's dossier on the possible risks posed to day-to-day life in the UK was released, after much fanfare from a previous leak. The UK Government has been keen to point out that this document contains a worst case scenario impact assessment - and is not necessarily how things will come to pass.
Surprisingly, despite there being an obvious impact to data legislation in the UK post-departure, the Yellowhammer document did not mention data transfers at all. Instead focussing on the twelve key areas of:
- Transport systems.
- Trade over national borders.
- Healthcare services.
- UK energy and other critical systems.
- UK food and water supplies.
- UK Nationals in the EU.
- Law enforcement implications.
- Banking and finance industry services.
- The Irish border.
- Risks to overseas territories and Crown dependencies.
- National Security
So what of data protection legislation and data transfers?
The GDPR Today
At the time of writing, the UK is a member state of the EU and as such has accepted the GDPR into law as the revised Data Protection Act 2018 - the provisions of which have been well documented.
Because the GDPR is a regulation designed to harmonise data protection legislation in all 28 member states, companies who operate in multiple member states or have data trading partners in another member state are able to transfer and process personal data without friction - so long as they abide by the law.
How Will No-Deal Brexit Affect Data Transfers?
Should the UK leave the EU without an agreed withdrawal agreement, the UK will cease to be a member state and will no longer automatically be permitted to be in receipt of personal data from a source based in the EU.
The UK will be categorised as a third-country and considered outside of the EU's data protection laws. The EU does maintain a list of countries which it deems as having adequate homegrown data protection safeguards. However, at this stage there is no indication to suggest that the EU will allow the UK to have this status in a no-deal scenario.
There are a number of resultant scenarios to consider in the case of the UK being a third-country:
- UK based companies who collect and process personal data of EU data subjects, will need to have registered representation in an EU member state.
- Data transfers of EU data subject personal data from an EU member state to the UK will need to guaranteed by contracts with modal clauses.
- The UK will no longer be able to participate in the EU-US privacy shield in its current form.
How to Prepare for No-Deal Brexit?
Once again it is important to stress that this is a fluid situation which is constantly changing. However, it is prudent to prepare for a no-deal scenario to ensure your business operations, particularly those which involve data transfers between the UK and the EU, can continue unimpeded.
Businesses which transmit and process personal data outside of data protection legislation requires run the risk of substantial fines.
- Assess your trading partners and whether you current transfer personal data between them.
- Consider drawing up data protection contracts with your trading partners which include modal clauses to guarantee the rights of data subjects.
- Ensure you are using solutions and services which transmit and process personal data, that have adequate protection, auditing and control capabilities.
The Industries Number 1 Managed File Transfer Software
Ipswitch MOVEit is a managed file transfer solution that automates and secures files transfers. It is well-known in the industry for helping customers with GDPR, PCI-DSS, SOX, HIPAA, ISO 27001 and more.
Such a solution would be a prudent and practical step in order to help ensure your file transfers can still continue, in a no-deal scenario.
If a deal is reached before the 31st of October or before a no-deal Brexit is enacted, businesses in the UK will have a transition period before new agreement is put into place.
If you would like to learn more about Ipswitch MOVEit and how it can help you to to protect your data transfers, you can take a look at our Ipswitch MOVEit web page or you can book a call with a member of the team to discuss further.