Uncertainty looms over UK’s post-Brexit data protection position: What CISOs should do now

A cloud of uncertainty hangs over the immediate and long-term future of the UK’s  GDPR compliance position post-Brexit. As a result, data protection and compliance experts are calling on UK CISOs to take action to ensure their organizations adhere to GDPR law amid the ongoing ambiguity.

As a non-EU/EEA state, the UK has benefited from a temporary deal granting it data protection adequacy since January. Under the GDPR, the EU has the power to make “adequacy decisions” as to whether a non-EU/EEA country offers sufficient levels of data protection that comply with the regulations. If it is deemed that such a country does indeed meet the required GDPR standards, EU/EEA data transfers can be made to and from said country without the need for additional safeguarding measures. This has significant impact on how freely UK organisations can share data across Europe. Without it, the UK is considered a “third country” and UK organisations are required to implement more stringent data protection frameworks to comply with GDPR.

The UK’s temporary deal is set to expire at the end of April, and now an EU committee will decide whether the UK is granted full data adequacy or not. If adopted, it would run for a proposed period of four years.

On April 14, 2021, the European Data Protection Board (EDPB) issued a non-binding opinion recommending the acceptance of the draft adequacy decision concerning the UK’s general data protection and transfer position. It stated there is “strong alignment” between the EU and the UK data protection frameworks.

UK “still some way” from full GDPR data protection adequacy

However, whilst the EDPB’s approval is significant, there is no guarantee when (or if) the decision will be passed by the EU. The EDPB has highlighted areas requiring further assessment and monitoring, which could prove to be potential sticking points. These include the UK exception for immigration data, onwards transfers, and the role and powers of security services. What’s more, even if adequacy is granted, it will be open to legal challenges and disruption from privacy groups going forward—something that has played out in the US with the Schrems litigation case and the successful challenges to Safe Harbour and Privacy Shield.

So, despite the promising EDPB endorsement, the lingering uncertainties over the UK’s data protection status under EU law leave organisations and CISOs in the UK in somewhat of a post-Brexit data protection limbo.

“The EDPB announcement is another step on the road to a permanent deal, but we’ve still got some way to go,” Jonathan Armstrong, lawyer and partner at compliance firm Cordery, tells CSO. “The worst-case scenario is that the temporary data deal expires at the end of the month and nothing replaces it. Whilst it’s more likely that there will be a two-month extension to the deal, which should allow time for progress to be made with the adequacy decisions, even this could go to the wire and we might not have meaningful progress until June, the final month allowed by the temporary deal agreed by the UK and EU.”

The longer-term future is just as murky, Armstrong adds. “My gut feel is that the UK will get an adequacy decision but that it will be challenged. The challenge will take some time to come to court—maybe two to three years—so we’ll have a dark cloud over data transfers for a good while yet.”

CISOs should prepare for any outcome

Businesses must therefore prepare for all eventualities, Armstrong argues. He urges UK CISOs to review their organisations’ data transfer processes and prepare an interim solution in the event that either no decision is made or adequacy is disrupted by legal challenges. This will ensure they have the required additional frameworks in place to comply with GDPR regardless of the UK’s decided data protection position.

Rowenna Fielding, data protection expert and privacy proponent concurs, adding that UK security leaders will likely need to assist their organisation’s DPO or privacy lead in compiling GDPR assurance materials, along with generating action plans and budgets for addressing areas of concern. “It’s very important that security leaders collaborate with their colleagues in privacy and data protection as soon as possible, because they need to assess the business impacts of operating within a third country and discuss suitable options,” she says.

5 steps to plan for GDPR compliance, whatever the EU’s decision

So how can CISOs achieve such goals? Armstrong advises that a five-step approach will prove effective, starting with the mapping of all key business data flows, in and out of the UK. “A lot of organisations just don’t know where their data is,” he says. “We often help clients with their compliance after a data breach when the compromised supplier or server was off the CISO’s radar. Organisations need to know where their data is to protect it and meet their legal obligations.”

Next, CISOs need to put agreements in place to protect data transfers, including intra-company transfers. “GDPR—both in the EU and in the UK—requires there to be data transfer agreements in place with key terms outlined. Even companies with the same ownership (like subsidiaries or service companies) must be included in this contractual framework.”

Once that’s achieved, CISOs should complete a Schrems III double due diligence test, Armstrong adds, starting with suppliers before shoring up transfers to group companies and key existing providers that are the most critical to operations. “Essentially you’re looking at due diligence on the entity which is receiving the data and due diligence on the location where the data is going.”

Implementing a long-term strategy with regards to data localisation is the best next step, Armstrong believes. “This might include changing the location of servers for some critical data processing; some organisations are trying to get their data to stay local. In some countries like Russia and China this can be a legal requirement. We’re seeing more of a trend of data localisation in the EU too—in some respect this is made easier by the investment even large US providers have made in EU data centres so it’s often just as easy to host the data in Europe as it is in the US and keeping the data in Europe might help with compliance obligations.”

Lastly, CISOs should review their organisation’s privacy policy, focusing on transparency with employees and customers around data transfers. “We are seeing regulators ask questions when privacy policies haven’t been updated, especially since the collapse of the EU-US Privacy Shield scheme,” Armstrong explains. “There’s also threatened litigation—for example, against one online marketplace in Germany whose privacy policy didn’t reflect legal changes. It’s important to review your privacy policy and your communications with customers and employees to reflect the post-Brexit world.”

Ultimately, what form the UK’s post-Brexit data protection position will take in both the short- and long-term future remains unclear. However, what seems abundantly apparent is that UK businesses and security leaders should take appropriate action to ensure their data management practices adhere to GDPR irrespective of whether the nation is granted and maintains full EU data protection adequacy, or not.

As Fielding concludes, “If an organisation can show that they are complying with the GDPR at this time, then doing so once the UK is a third country should be mostly business as usual. Breaches are not the biggest risk for UK organisations right now—staying competitive in the European marketplace is.”