UK businesses should work on the assumption that the UK will not receive an adequacy decision from the EU after the Brexit transitionary period has ended, according to a panel of privacy experts at Last Thursday in Privacy on 30 July (this month sponsored by Microsoft).
The panel, discussing the future of data flows post Brexit, agreed that the UK is in deep water when it comes to receiving an adequacy decision from the EU that would allow for a continuation of the free flow of data to and from the EU. Following the Schrems II ruling, UK companies should assume that the UK is going to become a third country and steps must be taken before the decision is made.
According to Andrew Sharp, practice lead at Securys, the most obvious first step for UK companies that transfer data outside the EU is to map carefully where their data is flowing. Additionally, it will be important for these companies to engage with vendors and investigate their plans to take additional steps. He said: “It would not be prudent at this point to wait for an adequacy decision; you need to be doing something.”
Perry Keller, reader in Media and Information Law at King’s College London, added that supplemental measures such as encryption and transparency of when the data is being accessed after it has been transferred is a costly position for controllers.
Sara Armstrong-Smith, chief security advisor at Microsoft, said in relation to UK adequacy: “We are proactively working within Microsoft, with our partners, and also with our customers, to consider what happens if we leave without an adequacy agreement and also what that means. […] If we need to amend any of those provisions, if we need to amend our terms of services, to enable any specific provisions from the EU, or from the UK, that is something we are actively working on at the moment.”
She added: “Everything that’s going on that we are talking about, [Microsoft] are feeding that back in terms of what does that actually mean, in regard to how we deliver our services to you, but more importantly, how do we enable our customers to be compliant and how do we enable them to always have access and maintain control of their own data.”
From July 30, Microsoft’s guidelines on how their customers using SCCs can manage their data flows are available for access to all customers. Microsoft’s main focus during this period, Sara said, was enabling their customers to be compliant and ensuring that they always have access to and maintain control of their own data.
The panel urged businesses to prepare to do additional analysis and to work with providers and partners.
To watch Andrew Sharp, Sarah Armstrong-Smith, and Perry Keller discuss “Brexit Series: GDPR and the Future of the UK – Data Flows Post-Brexit” on-demand, click here.
Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.
Reserve your place before 2nd October, and receive VIP access to PrivSec Global which includes priority access to limited space sessions, workshops, networking opportunities and exclusive content.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.