As we know, the UK left the European Union on 31 January and has now entered an 11-month transition period. In the meantime, the UK effectively remains in the EU’s customs union and single market and continues to obey EU rules. One of the many areas this affects is data protection.
EU-based data controllers like businesses in Ireland are not permitted to transfer personal data outside the EU/EEA unless high data protection standards are maintained. After Brexit is completed, it means that the UK will become a ‘third country’. From then, personal data transfer from Ireland to UK will be treated in the same way as transfers of personal data to countries like India, Australia, or Brazil.
When an Irish company intends to transfer personal data to the UK, it will need to have specific safeguards or technical and organizational security measures in place in order to comply with the EU GDPR. This can be done through contractual agreements or by using standard contractual clauses (SCCs).
Similarly, if a UK company is transferring personal data to Ireland or other EU countries, then it needs to provide adequate security measures to protect the personal data of EU residents. It can do this by having contractual agreements agreed between them mutually.
The Data Protection Commission (DPC) has issued further detailed guidance around standard contractual clauses for after the UK leaves the EU. Another option for managing compliance risks is by adopting international security standards which can help with meeting the requirements of regulations like the GDPR.
How ISO 27001 and ISO 27701 can help
ISO/IEC 27001:2013 is a widely known international standard for providing requirements on Information Security Management System (ISMS). An ISMS is a systematic approach for protecting company confidential information and enables organisations to manage their information security risks. The standard adopts a process-based approach for establishing, implementing, operating, monitoring, maintaining, and improving ISMS, so it applies irrespective of any geopolitical changes that may happen.
Like all ISO standards, it is globally recognised by all customers and businesses (and not controlled by the EU in any way), so it will apply to any businesses in Ireland and the UK which have client-vendor or supplier relationships.
ISO/IEC 27701:2019 is an extension to ISO 27001 which provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS). ISO/IEC 27701 provides the management system framework to protect Personally Identifiable Information (PII). So, the ISO 27701 standard helps Irish companies or any clients in the UK (or vice versa) to comply with GDPR as well as other legal and regulatory requirements.
Assuming the UK fully leaves the EU from this December, then from January 2021, differentiating an organisation or any business from their competitors will be more important than ever. Even if the products and services delivered from Ireland become more expensive to sell in UK (or vice versa) due to trade barriers, having ISO 27001 and ISO 27701 certification, which is internationally recognised, will help to demonstrate competence, security compliance, PII protection, quality and reliability. This will provide the foundation for long-term healthy customer relationships, irrespective of economic or political changes. It thus becomes easier to comply with future UK regulations, no matter what choices the UK Government makes after Brexit.
Managing compliance risks
To mitigate compliance risks, any changes to legislation in relation to employment, product design, trade, data privacy, IP, trademark registrations, etc., will require companies to review their current processes and evaluate new regulatory information.
Using the right tools and technology, a company can store all compliance information in a single system, which gives proper insights on the risk and opportunities, and it can monitor the potential impact of legislative changes and take proactive steps to mitigate compliance risks.
This needs a proper methodical risk assessment to identify the compliance-related risks and implement appropriate risk treatment.
Implementing both ISO 27001 and ISO 27701 will enable businesses to meet the EU GDPR’s requirement for “appropriate technical and organisational measures”, as well as helping them to comply with many other data protection regulations.
Key benefits of ISO27001 and ISO27701
To recap some of the key benefits of the ISO 27001 standard together with the ISMS, they provide a framework for information security management best practices that helps organisations to:
- Protect client and employee information
- Manage risks to information security effectively
- Achieve compliance with data protection regulations such as the EU GDPR
- Achieve compliance with other legal and regulatory requirements
- Manage privacy risks and protection of PII
- Protect the company’s brand image.
Ultimately, both ISO 27001 and ISO 27701 are great business tools to identify information security and privacy-related risks and improve a company’s position within the global market.
Irrespective of what happens with Brexit, implementing the ISO 27001 standard, along with ISO 27701, will help businesses within Ireland and any clients in the UK (or vice versa) to continue to thrive with smooth business operations and customer relationships. The customers on either side will continue to gain confidence and trust from their suppliers adhering to an internationally recognised standard.
The only difference is the extra due-diligence process involved in data controllers transferring data outside of EU. This will ensure they identify and govern all the compliance risks that may need different treatments, based on this geo-political environment change, to the highest possible standards.
Have you signed up to our monthly newsletter? Every month we send out the latest cybersecurity and data protection news, trends and advice from around the globe. Sign up here