Data sharing with the UK: The legal situation regarding data protection may remain confusing in the future

Businesses are on the safe side with automated data management.

Since leaving Great Britain From the European Union, the legal basis for the exchange of data over the English Channel is again being discussed. There is currently a transition period in effect for UK companies in addition to applicable data protection laws Level of data protection in accordance with Article 44 of the GDPR (General Data Protection Regulation). European companies that store personal information on UK websites face heavy fines if these additional requirements are not met.

Now, after an in-depth review, the European Commission has declared UK data protection laws “appropriate” so additional requirements are not necessary. According to Vice President of the European Union Commission Vera Gorova, the rules in place provide adequate protection for personal data at the European Union level. However, EU member states have yet to agree to the draft. They have until June for this, when the transition is over. Only then will data exchange between the European Union and the United Kingdom be possible again without restrictions.

Not only large companies, but also medium-sized companies and startups in Europe share data with locations on the island. Many companies in the European Union rely on British service providers, especially for cloud services as well as maintenance and customer service. You should all welcome the “suitability decision” as it guarantees legal certainty.

However, they should not be very enthusiastic about the security of data exchange between the EU and the UK, as Mark Algrim, a digital transformation, risk mitigation and compliance specialist, warns Veritas’ GDPR: “The decision may not be in effect for long. The case with previous agreements on this topic, the most recent being the Privacy Shield between the European Union and the United States and its predecessor Safe Harbor, there is also a risk this time that NGOs will go to the European Court of Justice to overturn the decision in which Great Britain was not specified. In addition, there is no test of how much data is protected there from access by the secret services, because the UK is a member of the Five Eyes Alliance.

So companies sharing personal information with UK sites should prepare for potential compliance issues. Among the most important measures are comprehensive data protection controls and the implementation of automated data management, through which old and new data are automatically examined, classified and processed according to their content. In practice, five steps of best practice have proven effective in solving this task:

• Locate: First of all, you need an overview of the information that is stored in place – the data map, so to speak. This is especially true for data in the cloud. For compliance reasons, the company must therefore verify whether the data center is located in the European Union or in a suitable third country.
• Search: The GDPR gives EU citizens the right to request an overview of the data they have stored. Companies have to hand it over immediately. So the corresponding software and process to quickly find the data and delete it if necessary is necessary.
• Zoom out: The GDPR aims to ensure that companies generally retain less personal data and only store it for a specific purpose. Therefore, each file should be given an expiration date and automatically deleted after a certain period of time (depending on the purpose).
• Protect: Indeed, it goes without saying that personal data deserves to be especially protected. Businesses need to take steps to ward off attacks from the outside and at home. If something happens, the data leak should be reported within 72 hours.
• Foreman: Anyone who wants to report a vulnerability first should know that it exists. The second step is to clarify the missing data quickly and clearly. Because the General Data Protection Regulation (GDPR) clearly requires that those affected by the accident as well as the authorities be informed of the accident within 72 hours. It is therefore recommended to use a professional data management solution, with which the complex storage infrastructure can be permanently and automatically scanned for violations.

Ideally, the data management tools used for each of these steps follow a central policy through which measures can be derived, which are then automatically implemented. Also recommended is a service that adapts different tools to the individual environment and conducts an initial GDPR maturity assessment. Individual risks can be quickly identified from the results and major problems can be addressed first.