Brexit and data compliance – What you need to be thinking about in an uncertain future

With the outcome of Brexit still uncertain, many organisations are facing severe challenges in planning for their business needs for the next few years. While it’s usually spoken about in terms of physical transfers of goods, this has also affected data-driven organisations.

Currently, data can flow freely between British and European individuals and locations (Under the terms and privacy policies of the organisations concerned, of course) as under GDPR all member states have a common regulatory framework for data protection. However, what happens after Brexit is still very much unknown.

The draft withdrawal agreement negotiated in 2018 includes a commitment that EU Law (including GDPR) would still apply during the time that follows (known as the implementation period), while a long-term relationship is negotiated.

However, as everyone is aware now, there’s a huge degree of uncertainty around the actual direction and outcome of Brexit in every timeframe – immediate, short, medium, and long-term.

Even so, there are courses of action that you can take to insulate yourself from this uncertainty.

By using a data collection partner that’s based in, and stores their data in the United Kingdom, you can be assured that data access and transfers aren’t an issue, however Brexit turns out.

If collecting data from EU citizens post-Brexit is a concern, then this can still be done by choosing a provider who can enter into a binding processing agreement that data will be treated as required and not subject to any transfers outside the UK.

You may think that, if you’re dealing with an organisation with a UK business address, that everything is fine, but there are pitfalls with this approach. For example, even if a company has UK data storage, you should check where their support and development staff are located. Support staff often need to access user accounts to resolve any issue that are raised and if those staff are based outside the UK, this access would count as a data transfer under GDPR.

So, the most important thing any organisation can do in the current climate is to check with their current data processing partners.

Ask them the following questions:

Where do you store our data?

Where are your support staff based?

Where are your development staff based?

If any of the answers to the above questions are not “In the UK”, then it could be time to look for a new solution to make sure you’ll be compliant with your data protection obligations in the time ahead.