While politicians continue to debate the UK’s future in full and furious public view, one important issue has been out of the headlines but remains vital to our economic future whatever the outcome of Brexit – and that is the issue of data protection.
A recent report by University College London¹ highlighted the fact that scant attention has been paid to data transfer in the midst of the turbulent Brexit debate, despite the fact that the UK is a global hub for data. The report stated that in the event of a No Deal, “The UK would immediately become a third country in EU law, and instant disruption to EU-UK data flows would ensue.”
While the uncertainty and intensity of the politics continues, there are a number of considerations you can make to ensure that you are as prepared as you can be once a decision is made. And indeed, these are prudent considerations that organisations should be mindful of at all times, as data is the lifeblood of supply chains, trading partnerships and online commerce.
What data do you have?
Depending on the nature of your organisation’s work, it could process business data or personal data. This data might be stored in different locations and potentially in different countries. Understanding what data you have and how you process it is a key responsibility for every organisation at all times, not just when turbulence hits.
It is important to assess if you are transferring personal data – this could be the transfer of people’s names, addresses and financial details. If you have personally identifiable data (PII) from EU citizens you should already be operating under the EU General Data Protection Regulation (GDPR). The government has stated that the UK Data Protection Act 2018 will remain in place in the event of a hard Brexit and the EU Withdrawal Act would incorporate the GDPR into UK law to sit alongside it.
The UK government has also said that the free flow of personal data to the EU would continue, albeit under review. However in the event of a hard Brexit the UK would have become effectively a third party country, so discussions would then start to establish an adequacy decision to enable the flow of data the other way, from the UK to the EU, to continue. This could take some time. The UK government has recommended that organisations “proactively consider what action you need to take”, such as putting standard contractual clauses in place to ensure data transfers can continue to any European partners.
Where is your data stored?
For many UK companies, their data has to be in a UK sovereign data centre for regulatory reasons, aside from anything that happens over Brexit. To be sure that your data is in the UK check with your hosting provider that they are using UK data centres and, if you are using a hypercloud provider, check that your data is being hosted in one of their UK regions.
As Brexit could affect the flow of data from the UK to Europe, it might be necessary for some companies to host data in the EU. If this is the case you will need to check your hosting arrangements.
If your organisation uses a managed hosting provider or a public cloud provider to store or process your data, check with them that the data is located where you need it to be. If this turns out not to be the case, you will need to make arrangements to have it migrated to the correct location.
Map your data
Mapping your data – understanding where it is and how it flows – is good housekeeping for any organisation at any time. It helps you to understand what data is being collected, where it is being stored and whether you have the right security measures in place to protect it. A data mapping exercise can often lead to improvements in your operational efficiency. A supportive hosting provider can play a key role in helping you with the detail.
With this information it is easier for your departments and management teams to ensure that record keeping is up-to-date and that any legal agreements required to move data across geographical locations are in place. In uncertain times it ensures that data protection is a fundamental part of your business strategy no matter which countries you operate in.
Although these are challenging times, Brexit provides the opportunity to consolidate and future-proof your approach to data protection.
If you need advice or support to migrate data to a UK data centre, iomart owns and operates a network of data centres right across the UK which are fully ISO accredited. Conversely if you need to host your data in Europe, we have secure data hosting facilities in Ireland and in a number of other EU and EEA countries. We have twenty years’ experience of delivering managed data protection for our customers. We work with you to ensure your data is always secure and protected.
For more information the ICO has a useful section on its website.