Guardum comment: data adequacy decision
December 2020 by Darren Wray, CTO at data privacy experts Guardum
With time running out to secure a data adequacy decision before the end of the Brexit transition period – Darren Wray, CTO at data privacy experts Guardum comment and advice for businesses to be prepared:
“As crazy as it may seem given that the UK has been part of EU Data Privacy since 1984, when the UK ends its transitionary stage with the EU at the end of the year, it will not automatically retain its GDPR equivalency. The UK will become a ‘third country’, meaning that personal data cannot be transferred to the UK without special contractual agreements being put in place by organisations and their partners. Unfortunately, the validity of such contractual arrangements is likely to be challenged.
If this situation wasn’t complicated enough, a recent court case between Max Schrems and Facebook in Ireland has seen the ability for organisations in the EU to send data to the US for processing. What difference does this make to the UK? Well, the Schrems II ruling was based on the US Government’s abilities to seize or snoop on data without the ability for citizens (EU or otherwise) to have any recourse. These abilities were revealed as part of the revelations by Edward Snowden. Unfortunately, the UK was also named as a partner in many of the global surveillance programmes revealed by Snowden. This, combined with regulation such as the Regulatory Investigatory Powers Act 2000 (RIPA) which enshrines state surveillance in UK law, means that EU firms will be forced to see the UK as not offering adequate EU data protection.
So what should companies with partners in the EU and other parts of the world be doing now to prepare for the end of the UK’s transition?
1. Understand your data flows
Make sure that you know what personal data you are sending, to who and what country they are based in. This should be something that all organisations have a good understanding of as part of their GDPR compliance, but things change, so now is a good time to make sure that everything is up to date.
Don’t forget to include the companies who host your corporate data, including services such as Office 365 that provide data storage and the processing of email.
2. Understand your client and vendor agreements
Checking through your client and vendor agreements so that they can be amended ahead of time is something that every organisation ought to be doing right now. Unless firms have paid attention to this particular area in the past then there is likely to be at least some work to be done.
3. Ensure the protection of your unstructured data
One of the things that is going to change is that, whereas before a company based in the EU could encrypt a document and send it to its UK partner for processing, in future they are likely to need to redact or remove the personal information in any documents. So before they are sent back and forth, they should use automated redaction software to minimize the risks and the workload of this process.”