UPDATE Aug. 21, 2019: Waiting to see if Britain's new Prime Minister Boris Johnson can pull off Brexit, leaves many companies facing technical uncertainties. Auth0 is closely monitoring the ongoing developments between the EU and the UK to ensure that Auth0 remains compliant with all applicable data processing laws, whatever the eventual outcome. We understand this is an anxious and uncertain time for many organisations and we are happy to answer any questions you might have on this going forward — just reach out to an Auth0 resource.
Frustrated by indecision, thousands of people took to London's streets last Saturday, demanding a second Brexit referendum to "put it to the people."
Brexit could happen as late as May 22nd, in the unlikely event that British Parliament approves Prime Minister Theresea May's deal — or with a two-week extension on April 12th, if it doesn't. But even April isn't a hard deadline, with more than 120 MPs backing an amendment in support of indicative voting this week on options like leaving with no deal, a second referendum, or revoking Article 50 altogether.
"There are concerns that a no-deal Brexit could cripple traffic at border crossings and ports, as well as lead to shortages of food, medical supplies and other products now imported from elsewhere in the EU," reports the Washington Post.
Alongside these very tangible dangers to daily life is the risk to data-driven technologies. In a recent report, Her Majesty's Treasury estimates that value at £60 billion per year to the UK economy by 2020.
What does all of this mean for companies and organizations doing business in and with the UK? We spoke with Jonathan Keen, Associate General Counsel, Auth0 and Chris Adriaensen, Solutions Engineering Lead, EMEA to get their insights.
For data-driven companies (or any company with an app or website), the EU's General Data Protection Regulation (GDPR) spelled big changes in 2018, but the fact is that GDPR is actually an update and alignment of an existing network of data privacy laws. GDPR mandates that every EU member state offers at least the same (or better) level of data privacy protection to EU citizens. Countries deemed "adequate" can also freely move data across borders. Brexit raises concerns because it puts these adequacy rulings at risk for the UK.
Don’t Panic, Start Planning
"This is not the end of data protection transfers between the EU and the UK, says Jonathan, “First and foremost, companies shouldn’t panic, they should carefully analyze their data flows and identify operations that might be affected and how to address these. The UK has been operating within the GDPR framework for nearly a year now and its domestic legislative framework is unlikely to move away from the EU data protection regime, as this might hamper UK businesses ability to build and service a European customer base"
The Information Commissioner’s Office (ICO), the UK regulator for data protection, has already issued a statement confirming that even in the event of a no-deal Brexit, UK to EEA transfers of personal data will be permitted under UK law, as well as transfers from the UK to non-EEA countries who already benefit from an EU adequacy decision.
But this position has yet to be reciprocated by the EU.
“EEA to UK data transfers would be treated as if they were transfers to ‘third parties’ for GDPR purposes and require a valid GDPR transfer mechanism, such as Standard Contractual Clauses (SCCs). This would be an inconvenience and administrative burden for the businesses affected, but is by no means a show-stopper,” he says.
Data Processing Center Location Matters
Since the UK faces significant challenges under a no-deal, altering a system seems unlikely. “In the medium-to-long term, it makes little sense for the UK to back away from the GDPR requirements to any significant degree, as it would handicap UK businesses’ ability to generate and support a European customer base,” he says.
What does matter, is the location of a company’s cloud provider, says Jonathan. “Cloud providers with processing centers in Europe will have a distinct advantage, regardless of how Brexit plays out.”
Future-Proofing for Data Protection
Even though businesses move at a faster pace than most governments, they still need to plan to remain ahead of global privacy developments. "The interconnectivity and influence of modern technology have rightly elevated data protection and cybersecurity to the top of the legislative and enforcement agenda for national governments and regulators all over the globe," says Jonathan.
Expressing these regulations on a practical level isn't new says Chris Adriaensen, Solutions Engineering Lead, EMEA. "Security best practices have always existed, but GDPR enforces them. Compliance concerns are prompting companies to invest in identity management. From a technology perspective, identity and access management (IAM) helps companies address GDPR in three ways: consent management, transparency and control, and security best practices."
Data privacy, like business, is an increasingly global challenge — all signs suggest that regulations are going to increase rather than diminish as technology continues to develop. "Companies can consider state of the art and costs of implementation when making technology decisions, but the fact remains that building and maintaining appropriate security measures in-house is a heavy exercise. Rather than straining internal resources, they are better off using a live IAM platform that's continually updated and tested by security experts."
If you'd like to learn more about how Auth0's IAM solution can help lighten your data privacy and security load, please reach out to an Auth0 resource.
EDITOR’S NOTE: McKenzie Mayer contributed to this post.