No Deal effects on data transfer between the EU and UK
As I write and post this the news has just broken that the UK Supreme Court has just handed down a verdict that the prorogation (suspension) of Parliament by Prime Minister, Boris Johnson, is unlawful and has no effect. That does not, in my opinion, affect the outcome of Brexit – even at the extremes of a No Deal Brexit or revocation of Article 50 so that the UK remains an EU member. This article discusses an issue about which businesses must act to mitigate a potentially terminal risk to their existence.
I have been warning for almost a year that a far bigger threat to UK businesses than having goods delayed at border crossings is the sudden cut-off of data flows between the EU and UK. While a 3~4 delay in delivery of goods is likely to have a variable impact on businesses the sudden removal of communications and data critical business systems is likely to prove the death of many businesses.
The inability to transfer data across borders presents an existential threat to UK businesses from Day One post-Brexit.
The problem is that as soon as Britain leaves the EU (under any circumstances) it becomes an untrusted “Third Party” as far as the EU’s data protection laws are concerned and therefore no longer able to be seen to comply with EU GDPR and other data protection regulations as it is while an EU member state.
Even under the best outcome – a deal including a transitional arrangement – the legality of data flowing between the EU and the UK remains uncertain and dependent upon the UK achieving an “adequacy” status on data protection from the EU before the end of any transition period agreed.
Though it is thought unlikely that the shutters will come down immediately on Brexit Day (or the final day of a transition period) and I personally think it highly unlikely you will be finding the UK ICO (or EU equivalent) knocking on your door any time soon that is not your worry.
Your worry is that the relevant data protection law applies inside the EU and makes it illegal for companies storing or processing data of the kind required by businesses simply to operate every day from leaving the EU – so while you may have no problems (say) updating a database held on a server or cloud located in the EU you will be unable to get that data back.
While your company will be committing no offence under UK law, your worry is that large cloud service providers (whether just acting as storage for “your” database or providing higher level services – email, ERP, CRM, data analytics …) would be committing an offence inside the EU if they transfer data to you in the UK.
So, the question you must ask is – how long will even large cloud service providers (such as Google, Microsoft or Amazon) continue to risk their businesses by committing breaches of law inside the EU.
Business today relies on the free flow of data for everything from ordering materials through production to delivery – including all other essential processes such as marketing, sales, communication and coordination.
The threat does not only affect car or aircraft manufacturers who rely on just-in-time delivery of goods. It threatens every business that uses any cloud-based service (even for email) in any part of its business process.
And that description covers just about every business in the UK from the smallest SME to the largest multi-national.
Few have taken any notice (even the British Computer Society only seemed to partially wake up this month by including a reference to a Cambridge University academic article in one of its emails sent to its members – hardly likely to make the evening news. The Institute of Directors, in its advice on how businesses should tackle Brexit suggests that companies should sign up for new “cloud based services” – staggeringly bad advice!
In case you are among the many that have not yet realised the disaster about to befall cross-border data transfers between the EU and the UK should a “No Deal” Brexit come to pass may I suggest a read of this article from Wired UK magazine https://www.wired.co.uk/article/no-deal-brexit-data-adequacy-gdpr which sets out a few of the problems that would arise.
In short, businesses who currently pass data covered by GDPR and earlier EU legislation FROM the EU ==> TO the UK will encounter problems immediately following Brexit.
As the Wired article explains, following a No Deal Brexit (or even a “soft” Brexit without a declaration of “adequacy” of the UK’s data protection regime) it will become illegal to pass personal data from an EU state to the UK.
This covers any data that includes personal identifying data. Some examples of personal identifying data are name, address, phone number, email address … precisely the information you need to, say, accept and process an order, issue invoices or deal with some suppliers. Even your own name and email address are personal identifying data so fall under EU data protection and would not be legally transferable to the UK in the circumstances discussed.
What does that mean? A few examples might help:
- If your business uses an email service whose servers are located in an EU state it will become illegal for that email service to deliver emails addressed to you. Such email services include Google, Microsoft (Outlook and hotmail), Yahoo and many more provided by ISPs that simply back on to these larger services. If you have your own domain name (eg; “mybusiness.co.uk”) but have delegated your email service to one of the big providers (Google, Microsoft etc) that make it easy to have all your email dealt with by their services, be aware that you will also be affected.
- One quote from the Wired article “Disrupting the flow of data could be disastrous. To take one example: in a recent study, researchers from University College in London point to the fact that the university’s own email system, Microsoft Outlook, only works because data can be transferred from servers in Ireland to servers in the UK.“
- If you use an on-line (cloud based) system for your business accounting or more complex aspects of your business (such as a full ERP system) or CRM systems such as SalesForce.com and the servers used to deliver those services are located in the EU it becomes illegal on “Brexit Day” for the companies operating those services to transmit “your” data to you – at least insofar as that data includes any personal identifying data, such as customer names …
The Wired article explains that, post Brexit, (a) the EU will no longer consider (as a simple matter of law) the UK to comply with its data protection laws and (b) even though the UK currently has slightly stronger data protection legislation in place than the EU generally it will assume that the UK might change its position at any time to weaken those protections – something the current UK government has already stated it is considering. There is also the small matter of the UK both being a member of the “Five Eyes” group of countries (the other four – USA, Canada, Australia, New Zealand – already being non-EU member states) who share personal data for “security reasons”.
Beyond this, the UK already has legislation in existence that breaches EU data privacy laws – that is currently ignored under a generic provision that the EU does not interfere in member states “security” arrangements – which would immediately fall foul of EU law once those exemptions no longer apply. As the UK continues to diverge from the EU position (and at least several of the other Five Eyes countries could be considered to have an anti-privacy stance) this alone will make it problematic for the UK to regain an “adequacy” status from the EU’s EPDA regulator – a process that normally takes between 18 months and five years in any case.
A more worrying concern is that the EU will shortly “beef up” GDPR with even stricter data privacy and consumer safeguard legislation – and unless the UK enacts equivalent or better protections it may be far longer than five years – if ever – that the UK achieves a third-part adequacy standing.
What Can you do to protect your business?
Let me say the one thing you cannot do – that is to sit back and hope someone else sorts out this mess before it happens. With just a few weeks left until a possible No Deal departure by the UK from the EU sudden loss of access to business critical systems will bring most unprepared businesses to an equally sudden dead-stop.
An action plan
It is impossible to give any but generic advice in an article but as a minimum I would suggest all businesses (SME or multinational) do the following:
- Perform and audit of ALL computer systems in use throughout the organisation
- For each, determine
- The importance of the system to continuation of business activity.
- Where in the world the DATA and the PROCESSING SOFTWARE are located – eg; on server(s) located in Ireland / the U.S. / …
- In the case of cloud based services (eg; clients of Amazon AWS or Microsoft Azure …) have you a contractual statement that the location of your data and services are in a specific location? If so, is that location a region or a specific country?
- For EVERY system identified do you have a FULL backup of the DATA inside the UK as well as continued access to the process software inside the UK?
- Whatever your answer, take the time to review your data and system backup strategy and ensure that you maintain a full, current backup of your data inside the UK – apart from being essential business practice this would at least preserve your data in case of loss of access to processing systems – such as could occur where the processing company or the servers it uses are based in the EU.
- For EVERY system that processes the slightest sliver of personal data
- Take action to ensure that both the data and the processing software is hosted on servers physically located inside the UK.
- Be very aware that as the UK has enacted GDPR legislation inside the UK you may be operating illegally if you transfer personal data to a country outside the UK. This factor is already in place (though widely ignored) because many organisations simply add a cloud compute or storage instance to their system without giving thought to where in the world that instance is physically located. To be legal all such instances used by UK companies must currently be located inside the EU. Post-Brexit all those instances must be physically located inside the UK to avoid the problem of loss of data access from the EU.
- If you currently have servers or cloud instances currently located inside the EU holding and processing UK personal data DO NOT be tempted to simply move them to a third country outside the UK (eg; the U.S.) without first checking the legality of storing and processing that data in that physical location. Reason? Countries such as the U.S. currently have far weaker data protection laws than Europe (by which I mean the EU including the UK) and as even post-Brexit the UK will have GDPR equivalent legislation in place it is likely to be illegal to store or process personal data in those locations.
- If you are so unfortunate come across a situation where a cloud based systems provider can offer no UK located servers or instances you will have to plan for a platform change to a provider who can provide UK based servers. This is vital even though it may cause major disruption because, depending on how the politics play out and therefore how hard or lenient a stance the EU regulators take if you continue to use EU located servers for any service or system you risk having it removed without warning.
There is a current and developing strong argument for organisations to move away from cloud computing (where data and processing is performed in uncertain physical locations – in practise, large data centres somewhere) to be replaced by edge computing where data and processing is stored and processed on premises – protected by firewalls and intrusion detection and prevention systems.
This trend is driven by lowered cost and increased speed and availability of Internet connections alongside technical advances that, in simple terms, allow even a small organisation to implement an “own-cloud” platform – retaining the ability to create and destroy instances of development, test and production software and data stores on demand. Another major factor is data security. If a businesses’ data is always held inside its own premises there is no possibility for incidents such as the repeated highly costly and reputation staing loss of private data that occurs when a technician opens yet another cloud based instance to temporarily store a copy of the organisation’s entire data store but forgets to put the most basic password protection on it – leaving the data swinging in the breeze for as many hackers can grab it over a multi-Gigabit data pipe as you could ever have nightmares over.
Brexit poses huge and costly threats to businesses – especially in the realm of data storage and processing.
But, wherever a problem arises an opportunity lies on its opposite side. Time may be against you but use the opportunity to :
- save your and your customers’ data
- ensure that you are complying with all current data protection legislation
- where you must or you are forward planning take heed of technology changes that may make it more desirable for many reasons to bring data and processing back in-house