Darren Hockley, managing director of eLearning provider DeltaNet International warns that the status of data held in the cloud may not be clear post-Brexit
This article is the view of the author and not necessarily of Ready for Brexit
UK organisations, particularly our innovative and industrious SME community, must consider Brexit’s impact on digital trade. It seems obvious to say that the global economy is underpinned by the free-flow of information, but so many British organisations are data-driven – remember, almost 80% of the UK economy is service-based. Combine this with the rise of cloud computing, which affords many smaller businesses access to IT systems and tools previously out of their price range, and we’re starting to see some real hurdles in the cyberspace between the EU and the UK post-Brexit – especially with the recent implementation of GDPR across all EU member states.
GDPR revolutionised the way countries in the EU process data. Hailed as the biggest overhaul of privacy regulations in decades, the legislation refers to countries outside of the EU as ‘Third Countries’ for purposes of data processing. Under GDPR, Third Countries are subject to restrictions concerning data transportation and must be deemed ‘adequate’ enough to participate in data transfers with the EU. Data protection adequacy is usually granted to those countries whose level of data-protection law is comparable with that of the GDPR – hence the UK’s implementation of the Data Protection Act 2018.
So where does this leave UK organisations, and particularly our data-driven SMEs, who may not have the foundations and financial support that large multinationals enjoy?
For companies that take advantage of the relatively cheap and accessible data storage and hosting that cloud technology affords, questions should be raised as to precisely where this data is and which laws govern its use and access. Remember, even in the cloud, servers still have to be physically located somewhere – and not necessarily in the same country as your service provider. In a no-deal scenario, and during the limbo of waiting for the EU’s adequacy decision regarding the UK, companies could be left facing issues about how to access the data they usually store and process. The cloud could become a digital no man’s land post-Brexit – just one example of why it’s inconceivable that a Brexit deal with the EU wouldn’t grant data protection adequacy to the UK by definition.
The idea of a sort of ‘adequacy limbo’ is another important consideration for businesses, whether large or small. After all, global trade cannot be put on hold whilst the EU scopes-out the UK; and Brussels has made it clear that considerations won’t happen until after the UK has left the EU. Still, many organisations in the UK work with service providers based in the EU, and vice versa. Whilst it’s highly likely that the Data Protection Act 2018 will ensure that the UK is eventually granted adequacy by the EU, the damage between EU/UK business relations could already be done by that point. Consider the fact that SMEs have driven more than 70% of private sector growth in the UK since 2011 and now employ an impressive 15.7 million people across Britain, and the repercussions of disrupting data transfers between the UK/EU sound seriously economically costly.
To prepare for the times ahead, and no matter how uncertain things seem right now, SMEs must be proactive. Now is the time to review organisational processes and put practices in place for processing data that comply with the Data Protection Act 2018. As the UK’s implementation of GDPR continues, this is the best advice any organisation looking to maintain business partnerships and relations across the EU could take; not to mention it’s also the best way to mitigate the risk of a data breach!
Complying with the DPA 2018 will involve implementing data controller / data processer agreements or contracts with your clients, particularly if you work with or process data from EU citizens. It will also mean:
- Processing data in a manner which is lawful, fair, and transparent and which maintains the data subject’s rights.
- Processing data only for the purpose it was collected – if your purposes change over time, or you have a new purpose which you did not originally anticipate, you may need to seek new consent for processing data.
- Limiting the storage of data only to that which is strictly necessary and relevant. In the case that excessive data is (or has been) collected, the data should not be used and should be deleted securely.
- Maintaining data records which are accurate and up-to-date. Where any personal data is found to be inaccurate, reasonable steps must be taken to ensure that such inaccurate data is deleted or rectified without delay.
- Storing personal data only for as long as is necessary. Under GDPR, organisations must not keep hold of personal data ‘just in case’.
- Processing and storing data with integrity. Every reasonable measure should be taken to maintain the security and confidentiality of data and to prevent unlawful processing, loss, destruction, or damage of data.
- Maintain a culture of accountability. Data controllers are responsible for and must be able to demonstrate compliance with, data protection laws.