There’s a lot going on in data protection — perhaps too much. And Brexit is complicating matters even more. Before you delve into the detail, here’s what you should be thinking about from a strategic point of view.
With Brexit 2.0 around the corner, businesses are looking at how they collect, use and dispose of personal data. Recently, the Privacy and Data Group at Shoosmiths gave a webinar on the legal implications of Brexit 2.0 and what you should consider doing now (check out Moving from Brexit 1.0 to Brexit 2.0). There is certainly a lot to prepare for.
In this series of bite-size ‘Brexit countdown’ articles, we focus more on the more commercial and strategic implications of ‘Brexit 2.0’ in certain key areas and set out a high-level overview of the sort of things you should be thinking about with your teams and customers, and what you should be doing to get yourself Brexit-ready.
Last time, we looked at the termination of contracts and business arrangements. In this article we look at data privacy and protection.
What sorts of things should you typically be thinking about?
Consider these key matters in particular:
- if you are based in or trade with the UK, have you looked at the draft National Data Strategy recently published by the UK Government? (The document is open to consultation until 2 December 2020). Have you tasked a team member to keep an eye on developments as the UK leaves the EU transitional period at 11pm on 31 December 2020?
- have you looked at how and why you collect, use and dispose of your data from a strategic point of view? To what extent do you treat data as a critical corporate asset? Do you, for example, have a corporate data strategy to make sure that your data is used, shared and moved around your business effectively and efficiently?
- have you considered whether you should or need to store your data in certain jurisdictions only? (Data localisation can sometimes be mandatory)
- have you considered whether you can minimise the amount of data that you transfer overseas? Are you ready for their being no adequacy decision from the EU for UK data (or a delayed adequacy decision)?
- are you using your data well? To what extent, bearing in mind data protection laws, can you use data (including any anonymised or pseudonymised personal data—see below) to create new revenue streams? Or finetune your operations? Or improve business decision-making?
- to what extent do you apply data minimisation principles? After all, the more data you have, the more you may have to transfer and the more risk there is in processing it
- how much does it cost store your data? Recent studies suggest future improvements in storage costs per byte of storage media may be slower in the future than in the past. Can you afford to store data that is a ‘nice to have’ as opposed to a ‘must have’?
- have you considered whether you should anonymise and pseudonymise your data? Personal data that has been anonymised is not subject to the GDPR, but many businesses are still not using the benefits of anonymisation to minimise the amount of personal data which they collect and use
- as the world looks to recover from the COVID-19 pandemic, have you considered ‘greening your data processing’, not only to comply with data protection laws but also to fulfil any corporate and social responsibility (CSR) promises that you have made to make your operations more environmentally-friendly?
Of course, every business will need to consider its own particular circumstances based on factors such as, in particular:
- its location
- the nature of its goods and services
- the business, economic and regulatory environment in which it operates
- the location of its key customers and suppliers, and
- the make-up of its workforce.
There is no one-size-fits-all approach to the analysis you need to do, but thinking about the commercial aspects above can help you decide what legal changes (if any) are necessary now and in the months to come.
At Shoosmiths, we have stayed close to Brexit developments. As always, we welcome any thoughts or comments from you and are ready to help you prepare for Brexit.
We are also producing briefings across all specialisms to keep you informed of legal changes anticipated in light of Brexit. On data protection, we will host a free webinar on 1 December 2020 (Trading internationally? The new data protection SCCs and European guidance explained which will also consider any recent Brexit developments. We hope you can join us.
If you have any queries in the meantime, do get in touch.
In the next article in this series, we’ll be looking at regulatory issues.