Data exchange between the European Union and the United Kingdom: The legal situation regarding data protection could also be confusing in the future

Marc Ahlgrim recommends automated data management for companies to be on the safe side

[datensicherheit.de, 02.03.2021] After the United Kingdom of Great Britain and Northern Ireland (UK) left the European Union, it appears that the legal situation regarding data sharing has not been resolved. As of June 2021 at the earliest There is a possibility that a judgment will be made to clarify this. But even then the last word was not uttered, “If you consider that Max Schreams, for example, through his lawsuit before the European Court of Justice (ECJ) terminated the transnational safe harbor agreement between the European Union and the United States of America and abolished the” Privacy Shield between the European Union and the United States “at the end of 2020.” In the present statement, Veritas addresses the current legal situation regarding the storage of data from The European Union in the United Kingdom indicates potential future developments in this regard and gives companies “best practices” to put their data management on a solid footing – regardless of the law currently in force.

Mark Ahlgrim: Identify individual risks and tackle big problems first!

Redefine the legal basis for exchanging data exchanged across the English Channel

Since the UK left the European Union (BrExit), the legal basis for exchanging data across the English Channel has been debated again. There is currently one for companies in the UK Transitional periodThey are required to provide a level of data protection in accordance with Article 44 of the General Data Protection Regulation (GDPR) in addition to the applicable data protection laws. “European companies that store personal information on UK websites face heavy fines if these additional requirements are not met.”Warnt Marc Ahlgrim, “Digital Transformation, Risk Mitigation and Compliance Specialist,” GDPR bei Veritas.
Currently, the European Commission has revised data protection laws in the UK after an in-depth review “appropriate” It makes clear that additional requirements are not necessary for this. According to Deputy Chairperson of the European Union Commission Vera Gorova, the established rules are sufficient Protection of personal data at the European Union level. However, EU member states have yet to agree to the draft. They have until June 2021 for this – “Then the transition phase ends.”. Only then will data exchange between the European Union and the United Kingdom be possible again without restrictions.

Not only large companies in the European Union, but also medium-sized companies and startups are sharing data with UK websites

Not only large companies, but also medium-sized companies and startups in Europe have shared data with locations on the island. Many companies in the European Union rely on British service providers, especially for cloud services as well as maintenance and customer service. You are all allowed ‘Decision of fitness’ Welcome because it guarantees legal certainty. Ahlgrim: However, you shouldn’t be too enthusiastic about the security of data exchange between the EU and the UK – the decision may not last long. As with previous agreements on this subject, the latest of which is the “EU-US Privacy Shield” and its predecessor, Safe Harbor, “there is also a risk this time that NGOs will take action before the European Court of Justice to overturn the decision.”
According to data protection holders, Great Britain is not very strict about the security of personal data. Additionally, there is no test “How well is the data there is protected from access by the secret services, given that the UK is a member of the Five Eyes Alliance”. So companies sharing personal information with UK websites should contact Arm yourself to potential compliance problems. The most important measures included comprehensive data protection controls and the implementation of automated data management, by which old and new data will be automatically scanned, classified and processed according to their content. In practice, according to Ahlgrim, five best practice steps have proven effective in solving this task:

Automated Data Management: 5 Proven Steps to Best Practices

Locate:
First of all, you need an overview of where the information is stored – one, so to speak Map data. This applies above all to data in the cloud. For compliance reasons, the company must therefore verify whether the data center is located in the European Union or in a suitable third country.

Search:
The GDPR gives EU citizens the right to a An overview of the data that you have saved To claim – companies have to file this right away. So the corresponding software and process to quickly find the data and delete it if necessary is necessary.

Zoom out:
With the necessity to achieve the General Data Protection Regulation, “That companies generally keep less personal data and store it only for a specific purpose.”. So every file must contain one Expiration date It is automatically deleted after a certain period of time (depending on the purpose).

Protect:
In fact, of course: Personal data deserves special protection. Businesses will have to take measures to ward off attacks from the outside and at home. “If something happens, the data leak must be reported within 72 hours.”

Foreman:
Who is the one Security breach He wants to report, he must first know that he is there. “ The second step is to clarify the missing data quickly and clearly. Because the GDPR clearly requires “That those affected by the accident, as well as the authorities, be informed of the accident within 72 hours.”. It is therefore recommended to use a professional data management solution, with which the complex storage infrastructure can be permanently and automatically scanned for violations.

Ideally, the data management tools used for each of these steps followed a centralized policy Derived measures Which will be executed automatically after that. Also recommended is a service that adapts different tools to the individual environment and conducts an initial GDPR maturity assessment. “Individual risks can be quickly identified from the results and major problems can be addressed first.”So, Ahlgrim.

More information on this topic:

ULD Independent State Center for Data Protection Schleswig-Holstein
Briefing Paper No. 4: Transferring Data to Third Countries