Many businesses are struggling to understand all the chaos and noise surrounding the current developments in the saga that is Brexit. The only ‘sure thing’ about a ‘no deal’ Brexit is the uncertainty.
Our customers remain worried about the implications of a weak pound, the way in which they will be able to recruit and retain staff (for example about 8% of the UK’s tech sector originate from the EU), and, of course, the impact upon trade, funding, EC Vat implications and passporting rights.
One significant consideration which all organisations need to start addressing now is the impact that crashing out of the EU would have on data protection. If your organisation processes personal data in the UK, you need to ask yourself three key questions:
- Does my business/organisation move data across international borders?
- Do I understand the implications of this?
- Am I prepared for how to manage my data in the event that the UK reaches the end of March with no deal?
To illustrate this, we’ll look at a real life example from our own community:
“My company XYZ is a small to medium enterprise based in the West Midlands. We operate on a global basis selling niche testing, consulting and advising services alongside a product portfolio of chemical test packs that are sold via eCommerce. We also have a network of distributors and agents that sell our products in Europe”.
In our example above, XYZ is required to adhere to the robust data protection that our own UK Data Protection Act 2018 enforces which has enforced GDPR within the UK. When we process and share data with other European countries we rely on the principle of ‘adequacy’.
Any ‘third country’ that wants to share data with a European country subject to GDPR must prove that they have data protection principles that are aligned to the EU to be deemed ‘adequate’. In this respect, our business needs to consider how it will process data about its EU customers and share it with its pan European sales network.
A no-deal Brexit would leave the UK with its Data Protection Act 2018 (DPA 2018) in place. The part that would complicate things is that by leaving the EU, the UK won’t have an arrangement for data sharing with other European countries as it will no longer be part of the territorial scope which is fundamental to the scope of the GDPR. Instead, the UK will become a so-called ‘third country’ and The European Commission would have to start the adequacy procedure with the UK after Brexit but it wouldn’t happen overnight or be automatic. Even with our robust data protection laws in place it could still take several years for the process to complete. Meanwhile, whilst the UK waited for its adequacy status to be granted it would become far more difficult for any business or organisation that processes personal data to share it with other countries in the EU. Other countries such as Japan and Canada also have robust data protection laws that include data export controls in line with the GDPR. Whist the UK may be happy to send and share data with other countries, it would not necessarily follow that everyone would be happy to share it with us!
In this scenario, the UK will have to reply on Binding Contractual Rules (BCRs) and Standard Contractual Clauses (SCCs) to share data within a group for non-UK operations and any EU partners to ensure that the appropriate safeguards are in place to legalise data transfers within the EU. Obviously, this will put a strain on the overloaded resources of many organisations that are already swamped by a myriad of concerns and operational difficulties brought about by Brexit. Whilst the larger organisations with designated privacy teams have been aware of this looming for some time, it will come as a shock to the smaller companies that have only just really started to grapple with the realities of the recent changes to data protection legislation passed in May last year.
The advice revolves around six key steps:
1. Continue to comply
Continue to apply GDPR standards and follow current ICO guidance. If you have a Data Protection Officer, they can continue in the same role for both the UK and Europe.
2. Transfers to the UK
Review your data flows and identify where you receive data into the UK from the European Economic Area (EEA). Think about what GDPR safeguards you can put in place to ensure that data can continue to flow once we are outside the EU. Standard contractual clauses are one such GDPR safeguard, the ICO have produced an interactive tool to help businesses understand and complete standard contractual clauses.
3. Transfers from the UK
Review your data flows and identify where you transfer data from the UK to any country outside the UK, as these will fall under new UK transfer and documentation provisions.
4. European operations
If you operate across Europe, review your structure, processing operations and data flows to assess how the UK’s exit from the EU will affect the data protection regimes that apply to you.
Review your privacy information and your internal documentation to identify any details that will need updating when the UK leaves the EU.
6. Organisational awareness
Make sure key people in your organisation are aware of these key issues. Include these steps in any planning for leaving the EU, and keep up to date with the latest information and guidance.
How can my CRM help me with all this?
If this article has left your head spinning then take some comfort in the fact that your CRM is already providing you with a single central repository for your organisation’s data. Assuming that you’ve already taken steps to comply with the DPA 2018 and the GDPR which were enforced in May last year then you should continue to apply these standards (Point 1).
To consider Points 2 and 3, you need to think about data flows from your organisation to (and from) any country outside the UK. Some Filters and queries will help here. For example, you can produce a definitive list of countries that are contained in a GoldMine CRM database by running a query as follows: select distinct contact1.country from contact1 order by country
Some further segmentation will help to identify agents, end user customers, distributors, vendors, partners, freelance workers etc.
Once you’ve identified and mapped your data, you can start thinking about Point 4. For example, if your queries have identified a large number of end user customers in France you will need to think about the legal way in which you can continue to process this data.
The GDPR and the Data Protection Act 2018 enforce the principles of ‘accountability’ that require an organisation to demonstrate that they are taking control of their own data protection strategies and enforcing it through policies, awareness and training. Your CRM’s Info Centre or Knowledgebase is a very useful centralised repository for organisational information of this sort so think about linking in all the documentation, and procedures and ensuring that your key team members are trained about how to access and use the relevant procedures. This will help with Point 5 (Documentation).
Organisational awareness (Point 6) should sit at the heart of every organisation that takes its data protection obligations seriously. A well designed and conceived CRM system can help to ensure that data minimisation and retention standards are adhered to and bring this key issue to the forefront of an organisation’s data protection and security strategy.
Given the havoc that Brexit is causing and the very short time line from now until D-day (29th March 2019) it’s imperative that you start to consider the actions that you need to start to take to protect the operation and reputation of your business, staff, customers and stakeholders with regard to all things data.