IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

How the channel can approach data protection post-Brexit

EU exit could mean more rule changes in data protection, argues Srilekha Sankaran

The Union Jack and the European flag with a diagonal tear spitting the apart.

The European Union's (EU) General Data Protection Regulation (GDPR) has completely changed the way organisations around the globe handle EU citizens' personally identifiable information.

Hefty fines have already been imposed on companies that have failed to comply with GDPR, for example, the French data watchdog ordering Google pay €50 million for failing to meet transparency and information requirements, and not obtaining a legal basis for processing.

After GDPR came into force on 25 May 2018, data controllers have since invested significantly in accelerating their compliance process. Post-Brexit, however, the UK could become a "third country" (read: non-EU), to which transfer of personal data will be strictly regulated, and in many instances, prohibited, as per the clauses.

The outcome of Brexit negotiations is unknown, at this time, which means it falls on channel partners to guide their customers through the confusion and help them to prepare for all eventualities.

The mechanics of data adequacy

Model data protection clauses, like the Data Protection Act 1998, are being established to regulate the transfer of data to non-EU countries; these clauses are usually handled by a service provider that ensures compliance with EU data protection rules, including that of the EU-US Privacy Shield.

GDPR, however, offers certain provisions that will enable the European Commission (EC) to issue a "decision of adequacy," granting data controllers in member states the permission to transfer PII to an approved third country as though that country were part of the EU.

Securing an adequacy decision requires a significant amount of work and expertise from the concerned third country, however, with the country requesting special data transfer privileges needing to submit proof of adequate data protection regulations to the EC, and elect a designated authority that can corroborate the proof of adequacy.

Assuming the UK will no longer be a member of the EU, the country's data protection laws should theoretically meet the GDPR's standards for becoming an adequate third country.

This is easier said than done, however, and to complicate matters further, the UK is seeking an "enhanced adequacy decision," which means the UK's Information Commissioner's Office (ICO) will continue to participate in the European Data Protection Board (EDPB) for data protection decisions. Needless to say, this proposition has already faced resistance from the EU. Assuming the UK's request for enhanced adequacy is denied, there are two possible outcomes.

The first outcome is that the UK achieves an adequacy decision, which means the ICO cannot participate in the EDPB, or the alternative is the UK doesn't pass the EC's adequacy requirements and is prohibited from exchanging data with member states unless there's an authorised data transfer protocol in place.

Guiding partners through the quagmire

Brexit or not, GDPR is here to stay. Any non-compliant UK organisation with hopes of Brexit negating the effects of the regulations will be disappointed, and organisations based in the UK might need to move an offshoot of their operations to other European nation until matters surrounding Brexit become less hazy.

With the outcome of Brexit still unclear, UK organisations should prepare for the worst and have their proofs of adequacy ready should the UK become an unapproved third country. This presents an opportunity for channel partners to engage with, and educate, their customer base on the changing requirements around data protection as and when those changes unfold.

Through this engagement, partners can highlight the value of the services available that can support the changes to working practices around data collection and management, whichever way those working practices will manifest in a post-Brexit UK.

Srilekha Sankaran is product consultant at ManageEngine

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

Databricks announces major contributions to flagship open source projects
open source

Databricks announces major contributions to flagship open source projects

29 Jun 2022
VMWare unveils new vSphere+ and vSAN+ solutions
virtualisation

VMWare unveils new vSphere+ and vSAN+ solutions

29 Jun 2022
HPE unveils new partner programme to boost XaaS practices
channel

HPE unveils new partner programme to boost XaaS practices

28 Jun 2022
Open source giant Red Hat joins HPE GreenLake ecosystem
automation

Open source giant Red Hat joins HPE GreenLake ecosystem

28 Jun 2022

Most Popular

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks
Security

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022
Open source giant Red Hat joins HPE GreenLake ecosystem
automation

Open source giant Red Hat joins HPE GreenLake ecosystem

28 Jun 2022
Carnival hit with $5 million fine over cyber security violations
cyber security

Carnival hit with $5 million fine over cyber security violations

27 Jun 2022