Why Brexit and GDPR will Bring Data Sovereignty to the Fore
In the initial fallout of the EU Referendum in June 2016, most people were concerned about the economy and their own personal situations rather than data sovereignty. Even in the technology world, the focus was on access to markets and talent rather than where data is stored.
But as we edge ever nearer to leaving the European Union, the issue is getting closer to the forefront of people’s minds, particularly with GDPR an even more immediate prospect. And with nearly nine tenths of all UK businesses using at least one cloud service, it’s something a lot of us will have to think about.
Depending on the outcome of negotiations with the EU, how organisations in the UK store and handle data could become very different.
What is data sovereignty?
Even if the term is unfamiliar, the concept shouldn’t be. It’s essentially the issue of where data is physically stored depending on regulations or individual preference. The EU requires data on its citizens to be stored in a territory that has a similar level of privacy protection to its own, and this has led many tech companies to build data centres within the EU to serve the local market.
Some global organisations prefer to use EU data centres because of these protections, while others prefer their information to be stored in a specific territory in order to boost performance.
The German government goes one step further and requires its citizen’s data to be stored in Germany, while other nations require individual industries, such as health and finance, to keep information domestically.
EU-US data transfers
The importance of data sovereignty can be demonstrated by the impact of the reversal of the ‘Safe Harbor’ framework in 2015. This arrangement allowed for the transmission of data from the EU to the US without jeopardising the protection afforded by EU privacy legislation.
US privacy laws are not deemed to be equivalent to those in the EU and since most data collected by technology companies is processed and stored in data centres in the US, the Safe Harbor was a way for American companies to certify that they follow EU privacy laws.
However, the discovery of US mass-surveillance programmes in 2012 resulted in demands for a new mechanism.
After two years of negotiations failed to find a solution, the European Court of Justice ruled Safe Harbor was no longer a legal basis for the transfer of personal data across the Atlantic. With no replacement framework in place, uncertainty ensued and tech firms such as Amazon, Facebook and Google were affected.
The end result was ‘Privacy Shield’, a new system that was claimed would provide more oversight for Europeans. US companies wishing to transfer data would have to register annually and an ombudsman would be required to resolve disputes within 45 days.
The length of negotiations and the seriousness of the reversal is a reminder of what is at stake amid the Brexit uncertainties.
The impact of GDPR
On top of Brexit, a new layer of EU privacy protection comes into effect on 25 May – GDPR. These regulations give citizens more control over what data organisations can collect about them, how they collect it and what it is used for. They can also demand to see what data is held on them and request that their personal data is deleted.
GDPR also places obligations on organisations who handle EU citizen data, even if they are from outside the EU, to protect this information and to be transparent about how it is going to be used.
Any organisation wanting to do business in the EU will have to be compliant or they could face significant fines.
So how will Brexit affect this?
In all honesty, it’s too early to say how Brexit will impact this situation; nothing could change or everything could change.
One thing is certain – GDPR is certainly having an impact. The UK is still a member of the EU and GDPR will be a part of British law thanks to a new Data Protection Bill. It’s probable the regulations will be the blueprint for similar legislation around the world, so it’s in everyone’s interests to be compliant regardless of what happens in the Brexit negotiations.
As for data transfers, the situation is less clear. The government has stated it had no desire to introduce obstacles that prevent the free flow of data between the UK and Europe, but this will depend on what kind of deal it can reach with the EU.
Maintaining parity with EU privacy laws and staying within the European Digital Single Market would be the most obvious way to achieve this, but it is more likely there will be a custom arrangement. The fact that the EU and UK have been aligned for so long should mean negotiations are less complex than those between the EU and the US and both parties have indicated a willingness to work together on this particular issue.
What will EU-UK data transfers look like?
There will also be a need to safeguard EU data shared with the US as Privacy Shield will no longer apply to the UK post-Brexit. The UK will need to negotiate its own deal and the existing framework could be a blueprint to follow as Switzerland has used Privacy Shield as the basis for its own transatlantic data transfer agreement.
Although not part of the EU, Switzerland is a member of the European Free Trade Association (EFTA) and has several bilateral agreements with the EU that sees it adopt many of the bigger bloc’s policies. This does include the European Single Market, however, and there is no guarantee the UK will be in that after Brexit.
If no agreement is reached, then organisations that handle EU data stored in the UK would need to find a new EU territory to house their information. Separately, certain industries in the UK may have to hold their data in British data centres rather than in the EU.
In the absence of a mass ‘one-size-fits-all’ framework like Privacy Shield, an alternative for UK firms could be Binding Corporate Rules (BCRs). BCRs require individual organisations to be approved by the regulator in each EU country they plan to do business in. For example, this would be the Information Commissioner’s Office (ICO) in the UK.
How can you prepare?
Despite this uncertainty, there are technological solutions that can minimise any potential disruption. The key is greater visibility and control over where your data and applications are stored and stronger security measures — actions which will benefit your organisation regardless of what happens with Brexit.
The most obvious step is to ensure you have the ability to move data between the UK and the EU. Nearly all of the major public cloud vendors have launched UK regions over the past few years, and with many other service providers offering their applications on these platforms, it’s an easy way to choose where workloads are stored.
For example, Microsoft has regions all around the world, allowing Azure and Office 365 customers to continue operating with minimal disruption. Furthermore, both are GDPR compliant, adding further levels of protection.
The other option is to consider a hybrid strategy by moving some applications and data to a private cloud service. Microsoft Azure Stack delivers all the benefits of the Azure cloud platform, but on private hardware from a range of vendors, such as Dell, HPE and Lenovo.
As for GDPR, you will need to protect your data no matter where it is stored, and there are hefty penalties for anyone that isn’t compliant, especially if there is a data breach and you haven’t taken appropriate measures.
GDPR mandates ‘privacy by default’ as a design strategy, meaning you should have tools that govern who can access what information on what device, and have a full data lifecycle management plan. Consider using tools that govern how data is used and for how long it is retained.
Mobile Device Management (MDM) tools will help protect this data and remotely wipe it if it is stolen, while you should also ensure your endpoint security tools are up to scratch, protecting staff from malware, hackers and phishing scams.
Brexit is a minefield of uncertainty and the world of IT is still coming to terms with what it means. Much of what changes is in the hands of our politicians, but not everything is out of the control of individual organisations. Adopting these best practices will improve your business regardless, and with GDPR, it’s probably recommended.
Why not read this next 'The Impact of GDPR on Cloud Computing'