Brexit, Data flows and what you can do now
Even by the tumultuous standards of the last two years, this week in British politics has been exceptional - marked by high drama, twists and disarray. We’re all left to speculate on the outcome of our manner of withdrawal from Europe, but of course the guessing game’s dangerous territory. Only one thing feels clear: nothing is as straightforward as the binary tick box of the referendum vote itself. Whichever side you’re on, British politics feels very messy and muddled right now; albeit it makes for utterly compelling news headlines and compulsive media consumption.
While I normally stay away from politics and predictions on this blog, it feels important to highlight some advice for organisations to consider right now when it comes to Data Protection, compliance and Brexit. The not knowing how things will unfold as we near March 2019 (at what currently feels at break-neck pace) is highly frustrating for us all and even more so for businesses who need to plan of course, but there are some sensible steps to take now regardless of the road we take.
I always refer my clients to the Information Commissioner’s Office (ICO) as the authority for detailed content on the General Data Protection Regulation (GDPR) and Data Protection Act (DPA) 2018, so rather than re-hash that I’d prefer to add to what the ICO have said this week.
In my view, the most important of the ICO’s ‘six steps to take now’ is the need to continue to comply (this is because GDPR “will be absorbed into UK law at the point of exit, so there will be no substantive change to the rules that most organisations need to follow.” ICO), which is what Sympatico have been advising clients over the past year. So it’s a case of continuing to embed and uphold your privacy programmes, champion the principles of the regulation, close compliance gaps on your plans, mitigate risks and ensure your documentation is in good order with regular reviews as your operations and data management change (or get help from Sympatico).
The other key step (from the six) which the ICO urge you to do is review data flows and transfers (i.e. where do you receive data from European companies and where do you transfer data internationally, and are you assured that relevant safeguards in place?). Now many of you will already have modelled your data and have robust programmes in place; however, for those of you who haven’t fleshed out your data relationships and roles, accountability, and mapped where personal data in your charge flows; this is a critical exercise as can help inform your whole approach to compliance. It also helps you visualise and understand what the GDPR really means operationally.
It’s also important to regularly review your technical and organisational measures when it comes to upholding privacy law, protecting data within your care and getting assurance on its protection as it flows to your suppliers and processors (if you’re the controller). With the various Brexit scenarios at play (and adequacy status for the UK if there’s no deal), it becomes even more important to understand this international data flow at your organisation now.
Now you may be thinking ‘I don’t transfer any data out of the UK’ - I get that a lot; but ask yourself if you have been through the exercise to check that, to not only understand your data processors’ approach to privacy and gained their assurance on compliance, but whether you have looked at where they store your (customers, employees etc.) data. This needs careful consideration if you’re using lots of cloud services for example; it’s crucial to understand the geographical location. And this all requires extra thinking when it comes to contracts and safeguards if there’s a hard Brexit, particularly for your suppliers or clients in Europe who need to (continue to) share data with you (note I am not saying this will be the scenario…but fail to prepare and prepare to fail as they say).
If the European Commission does not make an adequacy decision regarding the UK at the point of exit and you want to receive personal data from organisations established in the EU (including data centres) then you should consider assisting your EU partners in identifying a legal basis for those transfers. (UK Government guidance, based on a no deal scenario)
Mapping your businesses information and locating personal, sensitive, transactional or high risk data (or reviewing the flows) may sound daunting, but you have to know where your baseline is today in order to genuinely tackle the gaps or risks to your reputation (through non compliance, data breaches etc.) and to be prepared for the disruption of a no deal. Sympatico’s approach is to make mapping visual and interactive: whether that’s via one of our data map building workshops or via our information mapping visualiser tool - we make it accessible and tangible for your organisation.
So while Brexit is unknown right now (whether it will happen, what form it will take… I could go on), don’t let your data be. Discover where your critical information is (UK, EU Data centres or beyond), uncover and tackle risks and gaps, and ensure your customers’ data is being looked after. Understand your compliance and data health so you can be on the front foot, whatever change comes.
For training, workshops, audits, DPIAs or to try our to try our data mapping tool, get in touch with me by emailing firstname.lastname@example.org.