‘When the tide goes out you can see who’s been swimming naked’ is an appropriate adage for organisations’ data protection as the UK leaves the EU.
After a long period of negotiation, the United Kingdom left the European Union on the 31st of January of 2020. The UK and EU have, however, agreed on a transition period where everything remains business as usual for individuals and organisations, which ends on the 31st of December of 2020.
With little real guidance on what happens next, the only sensible policy for organisations to follow is creating and maintaining the highest standards and transparency possible. Not only is that the right thing to do morally, but it should also save swimmers’ dignity whichever way the regulation eventually turns.
Best practice is the only practice
So while Element is hopeful of an agreed partnership following the end of this period, we are also actively taking steps to ensure that the data of our customers remains protected, and that any data flows are compliant in the event of an exit without a formal agreement (typically referred to as a ‘no deal scenario’).
When it comes to data protection, no deal would have serious consequences. The UK would automatically become a third country and no longer benefit from EU wide mechanisms such as free data flows and the One Stop Shop. A recent report from the UCL European Institute also estimates that the compliance costs on the UK economy of a scenario without an EU adequacy decision could be up to £1.6bn.
To ensure a smooth transition in preparation for every scenario, these are a number of steps we’ve been taking:
- An internal audit and review of our Records of Processing, identifying all points of data transfers from the UK to the EU, and the EU to the UK;
- Updates to our Data Protection Impact Assessments to capture any new risks from a potential regulatory change, and finding mitigation measures to address these risks;
- A review of our contracts with processors and an implementation of safeguards, such as Standard Contractual Clauses, when required;
- Relocation of some critical data to European Economic Area (EEA) servers;
- Registration of a DPO with an EU member state;
- Updates to our Privacy Policy, to reflect all of the above steps.
As for our Element Matrix Services offering, data sovereignty has always been a key feature, with the possibility of selecting server locations in some of our plans. We understand that for some of our customers outside of the UK and the EU nothing is changing, but would like to offer reassurance to all our customers that we are constantly monitoring jurisdiction changes that might impact any of the territories where we operate.
Beyond GDPR
We have embraced the General Data Protection Regulation (GDPR) - and its UK implementation as the Data Protection Act 2018 - as relatively straight-forward and high-level pieces of legislation put in place to protect people’s rights to personal data protection.
As we look forward to future legislation - in particular the EU’s Digital Services Act - we hope to see privacy enhanced for both individuals and organisations. As an organisation that offers privacy-centric communications, we’re way ahead of the requirements stipulated by regulation but conscious of the need to make it easy for our customers to clearly tick each box.
This proactive approach is why we are trusted by governments, universities and commercial organisations. We continue to make it our mission to provide everyone with a secure and private way to communicate.
Or, to think of it another way, we have the most advanced and wide ranging swimwear range in the world. ;-)
