27/09/2021 There are few areas of business left unimpacted by Brexit, with data protection being no exception. In the below interview, Foyaz Uddin, Head of Privacy & Data Protection Services at Mazars tells us about refining data maps and inventories, the pre-and post-Brexit picture, and the need to be proactive about processes.
Give us the pre-Brexit picture: how harmonious was data protection and management across the EU?
Foyaz Uddin: There was a move towards greater harmonisation of data protection rules with the introduction of the GDPR in 2018. Previously, each EU member state had the ability to diverge and you saw an occasionally scattered approach to data protection. The GDPR brought quite a lot of the pieces together, pinning businesses and organisations with its large fines and powers to enforce non-compliance. For instance, the territorial reach of the GDPR widened the scope of the countries in which businesses were required to meet compliance obligations. Further, it made businesses and organisations accountable for data protection and mandated a ‘demonstrate compliance’ approach.
Processing and transferring data was, for a time, made seamless in the EU as well as further afield; you could be based in China or New Zealand and be offering goods in the UK, and it was still clear what requirements you were bound by. We saw many regions adopt similar standards pre-Brexit.
What are the main ways in which Brexit has changed data management on the continent and in the UK?
FU: With the UK becoming a ‘third country’, the main worry for UK and EU businesses was that it would not be awarded an adequacy decision, which would have meant additional compliance burdens for businesses seeking to transfer data across borders. That has since been granted until 2025, included as a sunset clause, which allows data to flow between the UK and EU in a largely similar way to pre-Brexit. The GDPR is also now part of UK law and, minus a few tweaks around immigration and intelligence, regulation is largely identical.
This status is subject to a continuous monitoring process by the EU, which would mean if the UK makes radical changes to its data protection regime, which do not provide appropriate safeguards to data subjects, the adequacy decision may come to an end earlier.
One development to keep watch over is the Information Commissioners Office’s (ICO) latest consultation on the protection of personal data when transferring it internationally. The ICO has adopted a new document known as the International Data Transfer Agreement (IDTA) which is meant to take the role of the EU’s Standard Contractual Clauses (SCCs) – and contains some subtle differences and points of divergence (for example, including introducing a formal yearly review process for Transfer Risk Assessments that the EU does not mandate). However, there is greater clarity in most areas in comparison to the EU SCC’s and there are some proposed changes that make it less burdensome on legal and compliance teams.
So, although data management hasn’t drastically changed, concerns and questions still rightly exist. Not only will adequacy status be up for debate again in 2025 but we are seeing rapid global changes in how different governments police data globally – including a new law in China around data protection and a likely GDPR-style law in the US to harmonise standards. These global changes could impact how the UK and EU make their own adequacy decisions, which may lead to some divergences in how both regions facilitate global data flows. This all comes alongside intensifying pressure from customers around data privacy.
In response, businesses need to ensure they know what’s happening with the data they handle: where it flows, where it enters the organisation and who has access internally and via the supply chain – commonly known as data maps. Having a solid understanding of your data maps serves as robust initial preparation for adapting to the ever-changing data protection landscape. Nailing down on the finer details of data processing allows organisations to understand what safeguards and measures need to be in place for the respective data, a increasingly likely requirement in the very near future.
Which, if any, companies may find it useful to appoint local representatives – either in the EU or the UK? And how do you go about it?
FU: This process is governed by Article 27 of the GDPR (both the EU and the UK versions are consistent on this). If you are in the UK (or anywhere outside the EU) and you are processing personal data of EU citizens in the course of offering goods and services in the EU, but you do not have an established base there, you are likely required to appoint an EU representative. This principle is the same for UK local representatives. If you’re operating across multiple regions in the EU, choose where most of your business occurs and appoint one there. Setting up small businesses on the continent is another solution, as well as appointing a professional services firm or a third party in that region.
What is your advice to responsible parties for securing their data processes?
FU: It all links back to understanding the data you process and how this is articulated. If you don’t know how data travels around your business – for example which server or apps you use, or whether it’s leaving the EU or not – then it will be very difficult to put the right safeguards in place, and to communicate and build trust with your customers or data subjects effectively. Privacy should always be the default position and in the last 3 years, with more technological developments, we have seen a greater move towards privacy by design in various industries and sectors across the globe, but more work is still to be done.
Do you have any advice for not just keeping up with data protection but doing it well in the face of diverging rules between the EU and the UK?
FU: Data safeguarding is far too often seen as something reactive, so it’s rare to find organisations going above and beyond – despite the technological advances that now exist to help. Teams dedicated to data protection are relatively new and small, sometimes just two or three people working within a global firm. That’s why external assistance is often so valuable.
Budget constraints and gaps in knowledge have combined to make data protection a field for firefighting rather than value creation. That needs to change and leaders at the board and C-suite level need to appreciate how crucial proper data handling is to their organisation’s success. Small missteps over pieces of legislation can cripple a business. Leaders would be wise to respond to new demands and put data protection at the top of their agenda.
Good data protection practice involves proactively thinking about how you can design your business processes in a way that considers privacy at the outset, which can help you maximise the value of your data while maintaining trust and transparency with your customers. A deep understanding of how personal data flows through your organisation is therefore critical, as is making sure that you have solid legal foundations for your data processing activities.
Moreover, having the right governance model for your privacy programme is somewhat undermined and overlooked by organisations. This is the foundation of how the rest of the compliance activities will be achieved and what the core team(s) will flow through. There are options i.e. centralised, localised/decentralised and hybrid which will not suit all. Choosing the right model will allow you to do things more efficiently and effectively.
While the GDPR provided an avenue to harmonise rules across the EU and had a major influence on bringing consistency to transfers of data to and from third countries, Brexit gives the UK an opportunity to craft its own rulesets. This may potentially lead to greater divergences in the process as we are currently seeing with the ICO’s consultation and the UK Government’s review of data legislation, so businesses must not take their eye off future developments in the area.
Mazars has substantial experience assisting a wide range of businesses with their data protection compliance issues and providing advice and guidance on how to make the most of their data. Get in touch to find out how Mazars can help your organisation.
Get in touch with us
We can help answer more specific questions related to your sector and size. Please click the button below to complete our enquiry form and one of our experts will be in touch.