IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

How the channel can approach data protection post-Brexit

EU exit could mean more rule changes in data protection, argues Srilekha Sankaran

The Union Jack and the European flag with a diagonal tear spitting the apart.

The European Union's (EU) General Data Protection Regulation (GDPR) has completely changed the way organisations around the globe handle EU citizens' personally identifiable information.

Hefty fines have already been imposed on companies that have failed to comply with GDPR, for example, the French data watchdog ordering Google pay €50 million for failing to meet transparency and information requirements, and not obtaining a legal basis for processing.

After GDPR came into force on 25 May 2018, data controllers have since invested significantly in accelerating their compliance process. Post-Brexit, however, the UK could become a "third country" (read: non-EU), to which transfer of personal data will be strictly regulated, and in many instances, prohibited, as per the clauses.

The outcome of Brexit negotiations is unknown, at this time, which means it falls on channel partners to guide their customers through the confusion and help them to prepare for all eventualities.

The mechanics of data adequacy

Model data protection clauses, like the Data Protection Act 1998, are being established to regulate the transfer of data to non-EU countries; these clauses are usually handled by a service provider that ensures compliance with EU data protection rules, including that of the EU-US Privacy Shield.

GDPR, however, offers certain provisions that will enable the European Commission (EC) to issue a "decision of adequacy," granting data controllers in member states the permission to transfer PII to an approved third country as though that country were part of the EU.

Securing an adequacy decision requires a significant amount of work and expertise from the concerned third country, however, with the country requesting special data transfer privileges needing to submit proof of adequate data protection regulations to the EC, and elect a designated authority that can corroborate the proof of adequacy.

Assuming the UK will no longer be a member of the EU, the country's data protection laws should theoretically meet the GDPR's standards for becoming an adequate third country.

This is easier said than done, however, and to complicate matters further, the UK is seeking an "enhanced adequacy decision," which means the UK's Information Commissioner's Office (ICO) will continue to participate in the European Data Protection Board (EDPB) for data protection decisions. Needless to say, this proposition has already faced resistance from the EU. Assuming the UK's request for enhanced adequacy is denied, there are two possible outcomes.

The first outcome is that the UK achieves an adequacy decision, which means the ICO cannot participate in the EDPB, or the alternative is the UK doesn't pass the EC's adequacy requirements and is prohibited from exchanging data with member states unless there's an authorised data transfer protocol in place.

Guiding partners through the quagmire

Brexit or not, GDPR is here to stay. Any non-compliant UK organisation with hopes of Brexit negating the effects of the regulations will be disappointed, and organisations based in the UK might need to move an offshoot of their operations to other European nation until matters surrounding Brexit become less hazy.

With the outcome of Brexit still unclear, UK organisations should prepare for the worst and have their proofs of adequacy ready should the UK become an unapproved third country. This presents an opportunity for channel partners to engage with, and educate, their customer base on the changing requirements around data protection as and when those changes unfold.

Through this engagement, partners can highlight the value of the services available that can support the changes to working practices around data collection and management, whichever way those working practices will manifest in a post-Brexit UK.

Srilekha Sankaran is product consultant at ManageEngine

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Accelerating security and success for MSPs with automation
Sponsored

Accelerating security and success for MSPs with automation

25 May 2022
Schneider Electric unveils Grid Operations Platform as a Service on Microsoft Azure
cloud computing

Schneider Electric unveils Grid Operations Platform as a Service on Microsoft Azure

24 May 2022
T-Mobile unveils new 5G Advanced Network Solutions
Network & Internet

T-Mobile unveils new 5G Advanced Network Solutions

24 May 2022
Google unveils new Assured Open Source Software service
open source

Google unveils new Assured Open Source Software service

18 May 2022

Most Popular

Europe's first autonomous petrol station opens in Lisbon
automation

Europe's first autonomous petrol station opens in Lisbon

23 May 2022
Nvidia pauses hiring to help cope with inflation
Careers & training

Nvidia pauses hiring to help cope with inflation

23 May 2022
Open source packages with millions of installs hacked to harvest AWS credentials
hacking

Open source packages with millions of installs hacked to harvest AWS credentials

24 May 2022