Data 2021 – UK, EU, Brexit and what you need to do now to be ready
FREE Webinar – 16 December at 1pm.
Click on the link to register https://attendee.gotowebinar.com/register/8011131191920337166.
As we approach the end of the transition period for the UK departure from the European union, most of the news coverage has focused on pictures of car ferries in Dover and lorries potentially queuing across Kent. The perception that Brexit is only a problem if you export manufactured goods to Europe is enhanced by the British government’s own Brexit website. As a result, many organisations in the service sector are jumping to the conclusion that Brexit is not a problem for them and they will not have to worry. This impression is clearly taking root when according to a recent survey by the Law Society of England and Wales where ¾ of respondents said that either Brexit did not apply to them or that they had taken all the necessary measures. However, all of this ignores the fact that the law relating to international data transfers from Europe to the UK will change at midnight on 31st December 2020 and may still change whether there is a “deal” announced in the coming days or not.
The UK and Data:
As a member of the European Union, personal data is able to freely enter the UK from Europe unhindered. Once the UK has left the EU such data transfers between any UK based organisation relying on servers based in the European Union and a third party must be governed by a data transfer agreement that contains the necessary standard contractual clauses (SCCs), this will include any relationships that UK organisations may have with cloud providers who are hosting any personal data related to their organisation. This could include details relating to clients, consumers or business contacts, staff details, payroll or benefits. Consequently, this might affect any specialist cloud services used by an organisation as well as more general services such as Office 365, telephony and voicemail, as well as ancillary services such as any CCTV or conference call recording that may take place. If any of these services, which could conceivably include personal data being stored on servers inside the European economic area (any of the 27 EU member states plus Norway, Iceland and Lichtenstein), it will be necessary to ensure that SCCs are in place on any contract governing the relationship between these parties and the transfer of data from within the EU to an external state which will now include the UK.
It is important to ensure, as part of every organisation’s due diligence, that all of these relationships have valid contracts in place containing these SCCs. Do not presume that a provider such as Microsoft or Amazon Web Services have catered for this and have updated their terms. It is the responsibility of each organisation to be able to demonstrate their compliance, if need be, to any of the European data protection regulators.
The implication is that if the SCCs are not in place – and that we are talking here about quite detailed annexes to contracts and not just the insertion of one or two paragraphs – is that European data protection regulators could force cloud providers to switch off access from the UK to their systems on 1st January 2021 if no alternative arrangement such as an “adequacy decision” has been agreed between the European commission and the British government.
All contracts with 3rd parties covering the processing of any personal data, including audio or video recordings need to be reviewed to ensure that they contain the necessary SCCs.
If you require any help with this, please let us know and we can review any individual contracts or review in bulk if required.
If you would like to know more about this risk and the implications please let us know and we will be happy to schedule a conference call to go through the issues and answer any questions that you may have.
Alternatively, we will be hosting a FREE webinar on 16th December at 1pm, click on the link to register https://attendee.gotowebinar.com/register/8011131191920337166.