With an unknown Brexit on the horizon, many organisations are concerned about international data protection and security. And they’re right to be. The UK economy is heavily reliant on the free flow of data. Data is responsible for £240bn of UK economic activity, and three quarters of our data transfers are with EU countries.
If data flow restrictions are put in place after Brexit, UK businesses will be at a competitive disadvantage, and the security of our data could be compromised.
Brexit data security risks
So what are the risks and how can you minimise them?
(1) Data access
The EU has high data protection standards. All EU countries have signed up to these standards, including the recently implemented General Data Protection Regulation (GDPR). This means that personal data can be transferred freely throughout European Economic Area (EEA) member states with a guarantee that it will be secure and protected.
If the UK leaves the EU without a deal, it will be classed as a “third country” by the EU and will no longer be able to access and utilise this data. The UK has proposed a new data protection agreement and is currently negotiating on the basis that there will be a 21-month implementation period, during which existing legislation will continue, giving organisations more time to meet compliance rules for any new regulations.
(2) Data adequacy
The EU has said that UK will need to apply to be put on the list of safe countries for data access, by showing that it meets the EU requirements for data adequacy. Until then, it may be illegal to hold any data in the UK that refers to EU citizens until access is granted.
Data adequacy assessments for other countries have taken between 18 months and five years, so it is possible but not probable that the proposed 21-month implementation period will allow enough time for this.
(3) Data protection and security
Not only does the data adequacy decision pose uncertainty for the future of data outside of the UK, legal snags (like the US Patriot Act) are already causing headaches for UK businesses protecting their data internationally.
When entrusting your data to an American company, you’re also unknowingly laying down the red carpet for the US Government; inviting them to take a look around, copy and in some cases, even delete your information.
You can read more about the US Patriot Act in our blog post ‘Finding the right disaster recovery provider’.
The EU has declared that US and Canada only provide partial data adequacy. As the UK shares data with the US, this may prevent the UK from meeting the EU’s data adequacy requirements.
How to protect data from Brexit risks
Time is running out to protect your organisation’s data from the impacts of Brexit before the March 2019 deadline. But there’s no need to panic, there are steps IT managers can take now to mitigate the risks.
(1) Standard Contractual Clauses (SCCs)
In the absence of a post-Brexit data adequacy decision or an alternative agreement, data transfers to the UK from the EEC would require extra safeguards to ensure compliance. The onus would be on individual organisations to arrange these safeguards.
One option for individual businesses is to create and apply SCCs between themselves and all the other organisations they share data with. SCCs provide a written agreement between the data sender and data receiver, which guarantees that European Commission privacy standards will be upheld by both parties.
This option is likely to be costly and cumbersome, especially for small businesses. Smaller organisations may not want to sign up to SCCs provided by their partners if the extra administrative burden is prohibitive. The ECJ can also mount a legal challenge to SCCs, and is currently doing so for this one between Facebook Ireland and Schrems.
(2) Binding Corporate Rules (BCR)
Multinational companies that move EEA data through the UK also have the option to implement BCRs. These are a strict set of rules governing how data can be moved around different countries, but only within the same corporate group.
BCRs can be complicated, and even once all the work has been done to put them together, submitted applications can take a year or more to be authorised by the numerous data protection authorities in each of the EEA and EU member states. Again, the administrative costs can be high.
(3) Migrate to a UK-based hosting and disaster recovery solution
Not all cloud based hosting and disaster recovery systems offer the same level of security, and Brexit could impact a significant number of solutions and providers. Backing data up offsite provides an additional level of reassurance. But there’s no point protecting your data offsite if you’re opening it up to additional vulnerabilities in doing so. Migrating to a UK-based system mitigates the impact of UK data adequacy non-compliance, for organisations that wish to use data in the UK.
(4) Choose an industry-leading cloud based system
Veeam software is on course to become the world’s leading disaster recovery solution, especially with the recent addition of Veeam Cloud Connect, its offsite backup and replication facilitator. Businesses all over the world are utilising Veeam to protect their data offsite. As the industry standard, it’s the system we recommend as we believe it offers the best protection.
(5) Work with an experienced strategic partner
Brexit is shining a light on data privacy and data residency. But of course these should be key considerations in any IT infrastructure design project.
Creating a robust IT infrastructure system that facilitates the free flow of data around the world without any disruption or delays is a complex undertaking. Add the increasingly complex data laws of numerous different countries into the mix, and the task becomes too onerous for most in-house IT teams to manage.
Now more than ever, it’s vital to evaluate both the physical and legislative significances of working with providers of offsite data solutions. Good providers should have a strong background in infrastructure and consultancy – someone who can work closely with your organisation to plan your cloud based data infrastructure around your business needs rather than simply deliver an off the shelf solution that may not be future proofed against changing legislative requirements such as Brexit.
virtualDCS has been involved with and worked on pioneering cloud technology since its inception. We have sat on BETA panels and testing systems so that we can deliver solid, leading edge solutions to our customers. We are proud to have been awarded accolades such as UK’s Most Cutting Edge Cloud Hosting Services Provider (TMT News), Best Cloud Hosting Services (AI Magazine) and Best International Cloud Computing Solutions Provider (CV Magazine).
What next for UK data adequacy?
Until the data adequacy decision is made, there is much debate around whether data flows can continue interrupted between UK and EU countries. The decision needs to be made before the 29th March 2019 and will confirm that the UK has taken enough steps to ensure a security level that is equivalent to the EU’s.
If the UK doesn’t get the “ok” from the European Union Committee, then official safeguards will have to be debated and put in place. If data adequacy isn’t granted before the deadline, any information stored outside of the UK would have to rely on alternative legal methods, which would cause both delays and costs for organisations trying to continue business as usual. Obviously, this includes organisations utilising Veeam offsite backup internationally.
Provider security and Veeam offsite backup
Unfortunately, as it stands there isn’t much anyone can do to speed along the decision making process. The fate of the UK and its data adequacy is set on the shoulders of our government, yet UK businesses aren’t entirely powerless.
By selecting a Veeam Cloud Connect partner based in the UK and transferring information to UK based data centres, when the deadline hits you can mitigate the implications, should data adequacy not be granted.
For more information or to speak to a team about Veeam Cloud Connect, call 03453 888 327 or email enquiries@virtualDCS.co.uk