Beginning in 2016, the effects of Brexit on data sovereignty were at a lower priority than items such as our economy and future standing. Even now, some of the focus is on the impacts and processes that were needed to support the exit of the UK rather than where the data itself is located.
As we move further into the period where we negotiate our future relationship these issues are surfacing more and more. With a continual increase of UK based business using a cloud service, the outcome of the Brexit negotiations and the way the UK stores and handles data may be different in the future.
What does current data transfer look like?
Under current legislation, all members of the European union can benefit from what can be described as “free data movement”. Personal data can be transferred freely between EEA member states, which includes all EU countries. In addition (under the terms of the withdrawal agreement) it can also be transferred freely with UK until the point at which the withdrawal agreement ends (currently 11pm GMT 31 Dec 2020). Additionally, the UK are currently covered by data agreements between the EU and other countries, for example, the EU-US Privacy Shield Framework.
However, EU data protection legislation states that “special precautions need to be taken when personal data is transferred to countries outside the European Economic Area that do not provide EU-standard data protection”. As a ‘third country’ after Brexit, the UK will no longer automatically benefit from this free flow of data.
What this means the the UK?
What this means for the UK is that if the EU does not grant “equivalency” post-Brexit (We have left; Brexit is done), the UK’s privacy policies may not be considered as having ‘Data adequacy’ meaning information cannot pass freely between the UK and the EEA without further safeguards being required. Additionally, the UK would no longer be covered by data agreements between the EU and other countries, meaning the UK will need to negotiate its own deals.
This would impact organisations that handle EU data stored in the UK meaning you wouldn’t be able to rely on adequacy alone, you would need other provisions (model clauses, corporate binding agreements, etc.) and you would need to have an EU representative if you don’t have an EU based office at which a subject or data protection authority can serve you notices.
Separately, certain industries, for example; Civil Nuclear who are bound by Nuclear Industry Security Regulations 2003 and sectors such as Law Enforcement – who are not covered under GDPR for personal data, are subject to different regimes that in practice mean they almost certainly need to keep that data inside the UK (and for them UK means UK – not Channel Islands, IoM, Gibraltar; or our friends in ROI, it means UK).
Also, national security in the UK may have to rely on data sovereignty by holding their data in British data centres rather than in the EU and partnering countries. but generally most industry would be able to put their data wherever they want – but SHOULD they?
What is data sovereignty?
Data sovereignty is often defined as: where data is physically stored within the borders of that country and subject to the laws of the country in which it is collected or processed
However we believe data sovereignty is broader than just where you store your data and includes any processing, management and access – If you use a global content delivery network, or you manage the service and data from overseas then your data sovereignty could be easily compromised.
What are the benefits of storing your data within the UK Post-Brexit?
By moving to UK hosting solutions, your data will be subject to UK data protection legislation post-Brexit, making things easier from a data transfer perspective for the information that you hold on UK citizens and businesses.
How can you prepare for a Post-Brexit data landscape?
If you are a UK business or organisation that receives data from contacts in the EEA (European Economic Area), you need to take extra steps to ensure that the data can continue to flow after Brexit. Your best steps include:
• Already complying with current GDPR standards
• If a business/ organisation operating within the EEA is sending you data, they will still need to comply with EU data protection laws. You will need to take action with them so the data can continue to flow.
• Setting up SCCs (Standard Contractual Clauses) are the best way to keep data flowing to the UK.
• Make sure to review and update your privacy information and documentation with the latest information and guidance.
• Confirm you can continue to use your existing IT services as it may be entirely possible that several of the processes or technologies you have in place today may be impacted after the withdrawal agreement.
If your organisation operates in the EEA, you will need to comply with both UK and EU data protection regulations once the withdrawal period closes. You may also need to appoint a representative in the EEA and will need to comply with the UK data protection regime for your activities in the UK
How can Nine23 help?
Private cloud allows companies to bring data into a sovereign area and provides the confidence of being able to meet assurance and audit controls. Nine23 are pleased to offer the FLEX Platform. A UK based secure and scalable service offering customisable functionality within a private cloud instance including accreditable to Official-sensitive or Secret. Located in secure UK hosting locations with connectivity to government/corporate networks and internet connected organisations using proven secure access solutions.
Photo by Habib Ayoade on Unsplash