Navigating post-Brexit international data transfers with Trace

It’s 1st February and today Britain is officially out of the European Union, and under the terms of the UK-EU Withdrawal Agreement, we have now entered a transition period until the end of 2020.

And whatever your personal view on the wider political ramifications, UK organisations should now turn their attention to ensuring data can continue to flow, amongst other vital preparations for the change that lies ahead.

Why are international data flows so critical for a future focussed economy?

Our digital economy is inherently global, with data transfers across borders its lifeblood. Businesses share information with international partners, they store employee details in cloud systems (with data centres in other countries); data lineage is more complex than many of us realise involving sub processing (third, fourth and fifth parties) on a global scale.

Personal, financial and sensitive data must be protected and remain legal within that complex picture. That’s important for businesses as ‘data controllers’, for us as individuals ‘data subjects’, for the processors when it comes to liability and for the overall health of our data-driven economy.

McKinsey estimates that cross border data flows accounted for 3.8% of global GDP. In an advanced services driven economy such as the UK, cross border data flows are likely to make up a much bigger proportion of GDP than that. 43% of total UK exports are services-related with more than one- third of these trade flows with European partners and the majority of trade in services are underpinned by cross-border data flows.

(TechUK)

It’s clear that it’s in Britain’s best interest that organisations (businesses, governments, international health authorities etc.) retain a free flow of information with the EU, and beyond that globally - subject to sufficient safeguards being in place in the relevant countries and data processors. Compliance with the GDPR is also often seen as a ‘gold standard’, helping our competitive advantage as a trusted partner and for organisations as good data custodians; it’s also key we retain a reputation for championing privacy standards.

So what happens now, during the transition period?

For the next 11 months, during this transition state, many questions remain and need to be fleshed out when it comes to how the international regime may change come 1 January 2021. For now though, there’s a message of continuity, whilst putting sensible preparations in place.

During this period… it will be business as usual for data protection. The GDPR will continue to apply. It is not yet known what the data protection landscape will look like at the end of the transition period and we recognise that businesses and organisations will have concerns about the flow of personal data in future.”

(ICO Statement on Data Protection & Brexit)

The headlines:

• The GDPR, The UK Data Protection Act (DPA) and the E-privacy directive continue to apply - as part of the existing framework - it’s ‘business as usual’

• The European Commission will commence assessment of an adequacy decision during this transition (all eyes will be on this important process and decision)

Preparing for 2021: what should UK companies be doing now?

While the post-transition data governance landscape remains unclear, organisations are advised to get a handle on personal data processing and compliance, in readiness for change (for noting, this should remain an ongoing priority for compliance, regardless).

International law firm Baker Mackenzie’s advice is to:

Review current international data transfer arrangements and identify any transfers of personal data from the EEA to the UK (as well as any transfers from the UK to other countries), and prepare to put standard contractual clauses or alternative safeguards in place where necessary.

Consider any other steps which may be required after the transition period, such as updates to privacy notices, records of processing, Data Protection Impact Assessments or Data Protection Officer appointments.

(Baker Mackenzie)

So how can Trace’s platform help?

1. Our streamlined data auditing capability helps ensure your key compliance artefacts, your Records of Processing Activity (RoPA), retention schedules, security audits and third party reviews remain current and available on demand (for stakeholders, auditors and the privacy team). Our platform helps identify and close legal gaps and risks with easy to understand dashboards

2. Trace’s global data visualiser helps you understand which global regulations apply to your data, and gives clear guidance on when to use transfer mechanisms like Standard Contractual Clauses (SCCs) and where adequacy applies

3. Keep on top of your third party privacy risk; manage your contracts and assurance seamlessly with our smart Document area - including smart contracts, secure processing assessments and your key compliance documents

4. Expert privacy professional services: consultancy, training and support from qualified Privacy and compliance professionals. Contact us to discuss your project.

Interested in arranging a demo to see Trace in action? Get in touch.

Read our privacy promise.