Brexit is coming:
Keep calm and move your data
A survey carried out by industry association Bitkom has revealed that one out of seven German companies that uses external service providers for data processing transfers personal data to Great Britain – for example, customer and order data.
When the United Kingdom is no longer a member of the EU, it will be deemed a “third country” in the meaning of the General Data Protection Regulation (GDPR), as the regulation will no longer be effective in Great Britain following its exit from the EU. In legal terms, therefore, it must initially be assumed that its level of data protection is inadequate.
The EU Commission may subsequently find, through an appropriate procedure, that a level of data protection exists in Great Britain which is comparable to that of the EU. Obtaining such a decision, however, is a protracted procedure. Companies must therefore take certain precautions for the time being, to enable continued data transfer to the UK.
What steps are necessary now?
First, check whether your company is even affected under data protection laws. To do so, ask the following three questions:
- Does your company transmit personal data into the United Kingdom?
- Do you make use of IT services provided by British companies (e.g. SaaS solutions)?
- Do you use contract processors in Great Britain (e.g. cloud providers)?
If one or more of these questions applies to you, to be able to continue data transmission in line with data protection requirements, look into the following measures:
- Binding Corporate Rules (BCR):
Internal corporate data transfers into third countries are permitted on the basis of binding corporate guidelines, which guarantee an EU data protection level within an entire corporate group. However, introducing the BCR is a protracted and costly process.
- Standard contractual clauses of the EU Commission:
These are designed to ensure an adequate level of data protection at the data recipient. For that purpose, the EU Commission provides various standard clauses. Adapting all contracts is considered to be relatively time-consuming.
- Code of Conduct:
A code of conduct consists of binding requirements of an (industry) association or other organisation. These lay down data protection practices for the respective members.
- Consent of the data subjects:
Every single person whose personal data is stored and processed in third countries must give their explicit consent to this. The declaration of consent must relate explicitly to the fact that the data will be transmitted into a country that does not have an adequate level of data protection / for which an adequate level of data protection has not been confirmed by an appropriate adequacy decision of the EU Commission.
In many cases, moving into a managed cloud or hosting solution within the EU is also a good option for enabling continued GDPR-compliant handling of personal data. Even if such a project seems complex at first glance, it is worth talking to an experienced managed cloud service provider. Such a provider can help the customer with a well thought out migration concept based on tried and tested best practices and draw attention to optimisation solutions concerning the target scenario.More about PlusServer's migration services