Balancing speed and compliance across international data flows, especially post-UK GDPR and EU adequacy changes
By Graham Reilly, Head of Information Security at Patchworks
The balance in this new shift relies on rapid, ubiquitous data sharing across supply chains and international borders to enable real time AI, IOT and CyberSecurity functions to transfer and process data seamlessly. This need for agility and speed clashes with the stringent compliance requirements to protect personal data.
The UK’s departure from the EU has created two distinct possible regulatory regimes, UK GDPR and EU GDPR. While both sides maintain regulatory alignment through the EU adequacy decision it does open up the possibility of regulatory divergence in the future. The UK’s government push to reform data protection measures opens up the possibility of that alignment changing in the future.
As an established UK iPaaS we receive, manage and are responsible for our customers personal data as a data processor under GDPR. This means that in practice our day to day business is tied closely to personal data processing so any data minimisation approach, where we limit this personal data processing is in our case not really possible. At Patchworks we’ve taken an initial approach of supplier and data localisation to minimise the compliance burden while allowing us to grow and scale at speed. We have over the last few years taken an approach to mitigate the regulation risk by hosting and processing our personal data “on-shore” to countries we know have an established and safe adequacy agreement with the EU. This has the effect of reducing the administration burden of completing third country risk assessments like the International Data Transfer Agreement (IDTA) (UK).
In practical terms that has involved comprehensively assessing our supply chain both in terms of 3rd party hiring and through contacts and relationships with digital software and service procurement. This has meant looking closer at things like hiring practices in specific locations and taking a closer look at our SaaS software providers who host / process our customer personal data. This has involved first moving away from any currently designated third country supplier to “safer” countries with current adequacy agreements in place to reduce the compliance burden.
In terms of new suppliers for 3rd parties that process our customers data we are now completely focused on the EU and the UK to reduce that burden. In parallel we also needed to identify any software SaaS applications we do use and if that processing could be brought back onshore. A lot of especially larger vendors do offer this approach, processing core data in specific regions but offering a hosting option on servers locally e.g AWS EU/UK, Atlassian in EU etc.
Following on from recent moves in the UK to reform the Data protection and Privacy rules we have been forced to consider further consolidation under the EU GDPR. It’s not out of the question that wider geopolitics could play a part in any final alignment on data protection and privacy rules within the UK.
Could the UK ultimately align closer with rules and regulations of the US and move more permanently away from the EU? It’s possible. The world is fragmenting into competing trade blocs with some evidence that this is also happening with digital rules and governance. Customers and clients increasingly care where and how their personal data is processed. UK businesses need to be able to evaluate the risk and be prepared for any change of course from the UK government in terms of alignment to any new set of rules.
Another important initiative for Patchworks has been the centralisation of our compliance platform to achieve our ISO27001 and SOC2 certification and attestation. It does mean that we can further leverage this platform to move towards compliance in ISO42001 and the EU AI Act. This infrastructure already being in place for us has also dramatically reduced our overhead in terms of manual intervention in achieving compliance and certification within the organisation. Something that is certainly an initial cost for small companies but something we would thoroughly recommend to small UK start up and scale ups to allow more efficient operations.
Other strategies and initiatives do exist that we are actively considering. Data masking and anonymisation can be used at source to remove any personal data identifiers, to prevent the need for these transfer risk assessments. We are also considering further extending and automating compliance mapping to identify specific personal data categories in live real time data making it easier to classify and manage. This of course however comes at an increased cost in terms of tooling and capability. Something that small scale ups do not need to be adding to their already high running and operating costs.
Patchworks has found success in moving our supply chains away from a global model more towards a focus on the EU and UK. This localisation strategy coupled with a centralised compliance platform has made a huge difference to our compliance overhead.
We’d encourage the UK government to be very clear in communication on any substantial divergence from the EU GDPR. Businesses need to have as much notice to implement substantial preparations. If the EU do decide not to renew the UK’s adequacy agreement it would be nothing short of disastrous for UK business who would face a huge effort to align in both regions to a diverging and parallel set of rules. Even initiatives like AWS, Microsoft and Google who have sovereign cloud initiatives would take time to grow out environments to comply with a UK regional variation on rules and governance.
These efforts it must be stated also do not fully solve the sovereign data protection, privacy and legal concerns of other countries, the US legislation like the CLOUD act can force US companies to hand over cloud data no matter where it is hosted around the world. In China there are corresponding laws to do the same. The EU GDPR goes some way to protecting the EU’s citizens personal data and rules. The UK push for reforming their Data Protection and Privacy rules is a similar effort to do the same, however, for UK businesses the alignment to operate, process and align to numerous sets of rules (EU, UK, US, UK & China) with the compliance overhead for each may be another limiting factor for UK Inc to grow and establish global champions around the world.
