Aside from the deep-seated feelings Britain’s looming exit from the European Union elicits from everyone with an opinion and ignoring the ridiculous number of words and phrases which have been created (seemingly out of thin air) to describe it. There are also some fairly fundamental elements which haven’t been broadly discussed yet.
Elements which could have (additional) impact to UK businesses.
If they aren’t (apparently) being discussed at a governmental level, what steps can you take to ensure your business stays protected through the negotiation of this minefield?
We are of course talking about European Data Protection and the potential ramifications on it of a ‘no-deal’, some deal or an ‘i-deal’ Brexit…
Over the next couple of months’, we will be providing our take on what may happen from a pure Data Protection perspective. How might the various Regulations and Acts be affected by what is going on (or not) in the corridors of power…
The GDPR is a European Regulation and each member state (even those planning to leave the EU) have an option to implement their own country-specific version additionally. These can amend some of the powers specified in GDPR. In the UK for example, the Data Protection Act 2018 enhances the powers given to law enforcement and security agencies.
Let’s assume that GDPR is the most stringent Data Protection law in the world. If your company is then outside of Europe and hence its umbrella, then unless the country you reside in has an ‘adequacy decision’ or other contractual agreements around your Data Transfers and its Data Protection, then theoretically, you shouldn’t be transferring your data into Europe. Or your potential customers’ data out of Europe to your systems.
Are you a SaaS developer based in the Middle East? What do you have in place to ensure your compliance to this and hence continued business?
Off-shore developers in India. Are you taking customer data from within Europe and using it to test future developments of the system you work with? Has your customer put in place a contract with you to define their requirements and expectations of you? If not yet, they will.
These issues can be examined regardless of what happens over the next 7 or so weeks. Once you have completed a Data Landscaping exercise to determine where the data you process resides, what it’s being used for and your legal basis for processing it, then you can start to look at the geographies and Data Processors you may be working in or with.
A vital next step is to then put in place the relevant contracts which are required. This is vital because it’s where the protection for your business comes from.
If you don’t protect your business, it’s looking increasingly likely that nobody else ‘in charge’ will.