To read the full article visit The Vault here:
As the Brexit deadlines draw close, many of our clients have been asking about the potential impact on the way they manage their records. In theory, everything should be quite simple, because the UK and the EU will continue to share the same stringent data protection regulations (in the form of GDPR). But, in practice, there will be some nuances, especially when documents and data are transferred between the UK and Europe. And there’s real potential for divergence in the future. In this Q&A we share the knowledge of:
- David Fathers, Regional General Manager of Crown Records Management
- Jez Tibbetts, Regional Commercial Manager of Crown Records Management
Together, they explore the implications of Brexit on the way organisations store and manage their records and offer advice on next steps.
Should businesses be concerned about Brexit’s impact on the way they manage their records?
For most UK-based organisations, the implications are likely to be minimal. But nonetheless, you should treat Brexit as an opportunity to evaluate the way you manage your records, ensure you don’t have any vulnerabilities, and think about any improvements. For us, it boils down to one key point: GDPR. By complying with GDPR, and understanding the details of your GDPR compliance, you should be well-prepared for Brexit – whatever form Brexit may actually take.
How does GDPR fit into the picture – and what will its status be after Brexit?
Last year, the introduction of GDPR imposed the same strict requirements on every country in the EU – as well as every organisation operating in the EU, and every organisation that holds any personal data relating to EU citizens. GDPR also enables data to be shared and transferred between all EU countries. But the same data cannot be transferred to a ‘third country’, unless the EU believes that country has adequate data protection rules in place. And, after Brexit, the UK will become one of those ‘third countries’. Once Brexit happens (irrespective of how hard or soft it may be), we know that GDPR will be incorporated into UK law. So, in theory, the way you manage your data and documents will continue to comply with EU requirements. And, in all likelihood, the EU will formally state that the UK regulatory regime offers adequate protection (a little like the Privacy Shield arrangements between the EU and the US). But we don’t know for sure what the EU will say, and we don’t know what timescales may apply. So, from a data and document management perspective, that’s the big Brexit uncertainty.
What might the practical implications be for domestic organisations and also for multinational organisations?
Even if you are a purely domestic organisation, which only ever does business in the UK and stores all its data in the UK, you should still give the matter some thought. If you hold any personally identifiable information (PII) on any EU citizens (such as employees, customers, or suppliers), you will still need to abide by the EU’s requirements. By complying with GDPR you should be adequately covered. For a multi-national organisation, especially one that stores and/or transfers data across borders, the situation is going to be more complex. The key is to understand exactly what data your store where, how it is transferred, and how it is protected. Again, we believe that the EU is likely to say that the UK regulatory regime offers adequate protection, which would enable you to continue to operate in the same way. But, you may want to put some additional safeguards in place. For example, smaller companies may want to introduce some new contractual clauses, whereas multi-nationals may want to update their binding corporate rules. The UK Information Commissioner’s Office (ICO) has produced a useful guidance document that talks to this challenge. But, if you were to sum it up in one sentence, it’d be this: “your best preparation for the future is to ensure you are effectively complying with GDPR now”.
What if you store physical documents in Europe?
We operate in 40 countries worldwide and, in our experience, it’s very rare for firms to store physical documents offshore. If you do happen to fall into that category, this is a good time to relocate them. There’s no huge urgency to do so, but it makes business sense to plan for it.
How might data protection rules change as a result of Brexit?
In the short-term, nothing will change. The Government has already said that GDPR will be replicated in UK law when Brexit happens. But, in the future, there may be some divergence. For example, there is a chance that the EU may update GDPR, and the UK may not follow suit with its own domestic regulation. But the UK does have a reputation as a data protection pace-setter. So, as a UK company, or a company with UK operations, you’re likely to be ahead of the curve.
Would a no deal Brexit have any additional impact?
For digital data, it’s unlikely that a no deal Brexit would have any additional impact. Instead, the big implication of no deal would be to restrict the physical movement of people and goods – which is all the more reason to avoid the offshore storage of documents.
What questions should organisations be asking themselves regarding records management as Brexit approaches? And what practical steps should be taken to eliminate any risks?
The most pertinent questions are: “Did I do my GDPR compliance rigorously?” and “What can I learn from the process?” As a result of GDPR, you should already know what data you have, where it is located, how it is protected, and how it is transferred. Larger organisations and those that process lots of data will also have a Data Protection Officer who knows the intricacies. The most practical steps are to go back to your GDPR compliance programme and look at everything through a ‘Brexit prism’ – by which we mean, understand what data is stored across what EU and UK locations, and how it is transferred to or from the UK. That way, you should be well-positioned for Brexit (whatever form it may take), be able to identify any necessary changes, and protect yourself from any risks.
How can Crown Records Management help organisations alleviate the related risks of Brexit?
A key part of the Crown Records Management proposition is our Information Consulting Services, which means our teams can help clients with any challenges – including regulatory compliance and Brexit preparations. For example, we can help with a full audit of your records and documents, identify any areas of risk, and help you achieve post-Brexit compliance. As we said at the outset, you should treat this as an opportunity to take a look under the lid of your data, and consider how you could be doing things better. By taking a wider view on your Brexit preparations, our people will almost certainly find practical ways for your organisation to save money, reduce risk, and become more effective in managing paper, digital information and records.
David Fathers heads up the Crown Records Management business in the UK and Ireland, and his focus is on the changes that have affected and continue to affect the industry. With 30 years’ experience in information management, including more than a decade at Crown Records Management, he has worked in management roles in South Africa, the Middle East and Europe.
Jez Tibbetts is a records management systems expert with over 20 years’ operational and commercial records management experience. A key focus is on process improvement and delivering a quality customer experience.