How the channel can approach data protection post-Brexit

The Union Jack and the European flag with a diagonal tear spitting the apart.

The European Union's (EU) General Data Protection Regulation (GDPR) has completely changed the way organisations around the globe handle EU citizens' personally identifiable information.

Hefty fines have already been imposed on companies that have failed to comply with GDPR, for example, the French data watchdog ordering Google pay €50 million for failing to meet transparency and information requirements, and not obtaining a legal basis for processing.

After GDPR came into force on 25 May 2018, data controllers have since invested significantly in accelerating their compliance process. Post-Brexit, however, the UK could become a "third country" (read: non-EU), to which transfer of personal data will be strictly regulated, and in many instances, prohibited, as per the clauses.

The outcome of Brexit negotiations is unknown, at this time, which means it falls on channel partners to guide their customers through the confusion and help them to prepare for all eventualities.

The mechanics of data adequacy

Model data protection clauses, like the Data Protection Act 1998, are being established to regulate the transfer of data to non-EU countries; these clauses are usually handled by a service provider that ensures compliance with EU data protection rules, including that of the EU-US Privacy Shield.

GDPR, however, offers certain provisions that will enable the European Commission (EC) to issue a "decision of adequacy," granting data controllers in member states the permission to transfer PII to an approved third country as though that country were part of the EU.

Securing an adequacy decision requires a significant amount of work and expertise from the concerned third country, however, with the country requesting special data transfer privileges needing to submit proof of adequate data protection regulations to the EC, and elect a designated authority that can corroborate the proof of adequacy.

Assuming the UK will no longer be a member of the EU, the country's data protection laws should theoretically meet the GDPR's standards for becoming an adequate third country.

This is easier said than done, however, and to complicate matters further, the UK is seeking an "enhanced adequacy decision," which means the UK's Information Commissioner's Office (ICO) will continue to participate in the European Data Protection Board (EDPB) for data protection decisions. Needless to say, this proposition has already faced resistance from the EU. Assuming the UK's request for enhanced adequacy is denied, there are two possible outcomes.

The first outcome is that the UK achieves an adequacy decision, which means the ICO cannot participate in the EDPB, or the alternative is the UK doesn't pass the EC's adequacy requirements and is prohibited from exchanging data with member states unless there's an authorised data transfer protocol in place.

Guiding partners through the quagmire

Brexit or not, GDPR is here to stay. Any non-compliant UK organisation with hopes of Brexit negating the effects of the regulations will be disappointed, and organisations based in the UK might need to move an offshoot of their operations to other European nation until matters surrounding Brexit become less hazy.

With the outcome of Brexit still unclear, UK organisations should prepare for the worst and have their proofs of adequacy ready should the UK become an unapproved third country. This presents an opportunity for channel partners to engage with, and educate, their customer base on the changing requirements around data protection as and when those changes unfold.

Through this engagement, partners can highlight the value of the services available that can support the changes to working practices around data collection and management, whichever way those working practices will manifest in a post-Brexit UK.

Srilekha Sankaran is product consultant at ManageEngine