Forrester: CIOs must prepare for Brexit data transfer

Analyst Forrester has warned CIOs that they will need to prepare to migrate data processing of European Union (EU) citizens from UK datacentres by 2021.

As Computer Weekly has previously reported, when the Brexit transition period ends, UK ministers will have the power to forge new data-sharing arrangements that risk undermining the viability of future data transfers with the EU.

An adequacy decision is a legal mechanism to allow the European Commission (EC) to facilitate personal data transfers between the EU and third countries – covering data flows under Article 45 of the General Data Protection Regulation (GDPR) for general and commercial needs, and under Article 36 of the LED for law enforcement needs. It would confirm that the UK’s data protection framework is equivalent to that of the EU.

In its Predictions 2021: privacy report, Forrester predicted that the UK will become a “third country” for data protection matters in 2021.The report suggested that from a data protection perspective, this will last through 2021, and will have significant implications for companies globally.

The authors of the report warned: “Regardless of their headquarters location, companies that store and/or process the data of European citizens (customers and/or employees) in the UK will either need to physically move that data to another geography that provides adequate protection or include standard contract clauses (CSS) in their contracts.”

According to the Information Commissioner’s Office (ICO), while the government has said that transfers of data from the UK to the European Economic Area (EEA) will not be restricted, from the end of the transition period, unless the EC makes an adequacy decision, GDPR transfer rules will apply to any data coming from the EEA into the UK. The ICO website recommended that businesses consider what GDPR safeguards they can put in place to ensure that data can continue to flow into the UK.

Forrester also highlighted the lack of an adequacy decision, which it said would impact the supply chain of all businesses that rely on technology infrastructure in the UK when dealing with European citizens’ personal data.

The analyst firm predicted that cloud providers will start to provide a way for their customers to make this transition. The authors of the report recommended that companies should focus on assessing compliance with UK data protection requirements, including the UK’s GDPR, and determine how lack of an adequacy decision will impact data transfers and work on a transition strategy.

While the ICO is the UK’s supervisory authority (SA) for the GDPR, in July the European Data Protection Board (EDPB) stated that it will no longer qualify as a competent SA under the GDPR at the end of the transition period. This means the approval decisions of the UK SA taken under the GDPR will no longer have legal effect in the EEA.

Multinational companies use binding corporate rules (BCRs) to allow the transfer of personal data from the EEA to their affiliates located outside of the EEA in compliance with the eighth data protection principle and Article 25 of Directive 95/46/EC.

The EDPB has urged current BCR applicants to identify a new BCR lead SA in the EEA well in advance of the end of the Brexit transition period, including contacting the SA in question to provide all necessary information as to why this SA is being considered as the new BCR Lead SA.

On its website, the ICO said that if BCRs are drafted widely enough, they should be able to accommodate changes in the company structure and some variation in the types of data flow. It noted that model contracts can also be used instead of a BCR to facilitate intracompany data flows between the EEA and a third country.

However, the ICO said: “There are drawbacks with the use of contracts, particularly in multinational companies with complex structures, because sometimes hundreds of contracts are required to cover transfers between all affiliates. The task of making sure that contracts are kept up to date to keep pace with the changing corporate structure can also be difficult and time consuming.”