UK prime minister Theresa May is giving MPs one more chance to vote on a Bill that would pave the way for a Brexit deal in early June.
However, should this fail yet again, a ‘no-deal’ Brexit will make the UK a ‘third country’ which no longer falls under the General Data Protection Regulation (GDPR), the European Union’s (EU’s) data protection regime.
Any organisation that moves data between the UK and a county within the EU needs to be aware of what will change if the UK effectively signs out of the GDPR.
So says Grant Kirkwood, CTO and founder of Unitas Global, a managed cloud services provider. “While a no-deal Brexit wouldn’t necessarily mean UK citizens have no access to data stored on servers in the EU, as with most aspects of Brexit, we simply don’t know.’
He says many companies began moving their data centres to prepare for Brexit right after the referendum was passed in 2016.
“Most of these projects have been completed by this point, so the biggest complication that enterprises will face in the event of a no-deal Brexit is changes to data sovereignty laws.
“Once the UK leaves the European Union, they will no longer fall under GDPR regulations. I suspect in the first few months, the UK will develop their own version of the EU’s GDPR, but given the initial purpose of Brexit, at some point they will begin to diverge.”
Speaking of UK businesses whose data is already stored on servers within the EU, Kirkwood says with the Brexit date coming up in a couple of weeks, companies that have not already moved their data centres will not have time to do so before the exit.
This will be especially important for UK-based companies storing their data on EU servers because they will no longer fall under the regulations of GDPR, but their data storage facilities will. Informing customers of the data laws applying to them and covering all legal bases will be an essential step following 1 June, he explains.
Although they are not subject to the GDPR, where they store their data still matters, adds Kirkwood. “We live in a world of global commerce and expecting EU citizens to never interact with UK business is unrealistic. Even if a company based in the UK won’t fall under the jurisdiction of GDPR, many of their consumers will. Keeping them up to date on the data sovereignty laws of the UK following Brexit will ensure a company is legally covered should any complications arise between the EU’s GDPR and the new data sovereignty laws that are bound to be established in the UK.”
He says if a UK-based company is storing its data in the EU that data will still be subject to the rules and regulations of GDPR. “The jurisdiction of GDPR is geographically-based, not individually-based. To give another example, a UK citizen living in the EU will still be subject to the laws of GDPR because of their physical location regardless of their nation of origin or citizenship status, and the same will be true for businesses.”
With so much uncertainty about the future, one approach he suggests companies can take is migrating their data to a public cloud provider, such as Azure or Amazon Web Services. “Before doing so, companies need to connect between in-house data centres, private cloud servers and public cloud servers to ensure a smooth migration.”