Brexit is causing an uproar throughout Europe as a no-deal Brexit is becoming a more realistic scenario. Lack of clarity regarding the consequences, for citizens, expats, abounds, but also for businesses it is hard to anticipate what the results may be. And this applies to data, too. For years, the data of our solutions clients, as well as our own, have been safe in London. With Brexit looming on the horizon, consequences for privacy have become unclear and so we have decided to take action.
DATA WITHIN THE EU
As soon as the United Kingdom leaves the European Union, the country will be considered a ‘third country’. European law stipulates that the transmission of personal data to third countries is prohibited if a series of guidelines is not complied with. With Brexit on the horizon, we have decided to preventively move the data of our solution clients across the Channel to Frankfurt. Safely within the European Economic Area (EEA), entirely in conformity with the General Data Protection Regulation (GDPR).
WE AVOID RISKS WITH DATA
We entrust lots of data to our solutions. For user accounts and brand building blocks, for pictures (the GDPR considers pictures of people personal data) and associated quit claims, to name just a few. We thereby avoid all risks. The EU is a single jurisdiction, so that the level of data protection is the same throughout the Union and in all its Member States. Keeping data outside the EU does not necessarily create an issue if only in the country where the hosting takes place a level of data protection is guaranteed which is ‘essentially equivalent’. And as the United Kingdom as from 29 March 2019 is no longer a Member State, it is not clear what the level of data protection will be.
MOVING DATA OF SOLUTION CLIENTS PROACTIVELY
In the event of a hard Brexit, there will no longer be a situation of free movement of services, which is a limitation which has far-reaching consequences for related sectors. Also in case of a soft Brexit with bilateral free-trade treaties, then it may still take a while before an agreement has been concluded between the UK and the European Union. Even in the event the UK has its privacy regulations in proper order, an explicit ruling of the European Commission on whether data transmission to the country is permitted must precede further action. ‘Only after Brexit will there be more clarity about the consequences for data protection and we do not want to sit still until then. We have chosen to migrate the data of our solution clients prematurely’, says Marcel Braakman, Principal Consultant and Security Officer at Capital ID.
SEAMLESS TRANSITION
In close consultation with clients, Nico Hulsman, Senior System Engineer, has procured, jointly with his fellow System Engineer Devon Pellaers, and Sander Boom from Support, a transition which is as seamless as possible. Sander: ‘Our clients depend of the stable functioning of their portal and by taking action through mutual agreement at well-chosen moments we were able to bring this about’. In this manner, all data, up to the very last byte, have been transferred.
‘For our clients, nothing is changed visually. They still log in to the same portal, but the data find their way to the screen of the user from Frankfurt now, instead of from London. They can get to work without worries, because they know their data are safe’, says Marcel Braakman. As additional advantage of the migration which Nico mentions is that the solutions and the associated data now are running on even newer hardware.
SAME STABILITY AND SECURITY, DIFFERENT LOCATION
Rackspace has been our trusted hosting partner for years. With their characteristic Fanatical Support®, it is a highly reliable party in hosting technology which has provided our clients such as Booking.com and Univé with stability and availability of data for an extended period of time. Also in Frankfurt we will make use of their services. Same service, different data centre.
COMPLIANT WITH GDPR WITHOUT WORRIES
Besides ensuring that your data are stored safely in the EU, we constantly work on solutions to make it easier for you to comply with legislation and regulations. A few examples. How do you record who is in a picture and even more important: how do you keep track of whether permission has been granted for using the picture? With our quit claim functionality, you simply link consent forms of the relevant person to the associated picture in your Digital Asset Management system (DAM).
Or how about requesting information to create an account for your Brand Portal? According to privacy legislation, you may request more information than you affectively need for offering a service, for instance the granting of access to the Brand Portal or the Digital Asset Management system. That’s why it is possible now to modify forms easily, to restrict the personal data you have filled out and only request such information as you need. These are only a few examples of the measures we have taken to render our technology GDPR-proof. In this manner, you can get to work without worrying about legislation and regulations. Isn’t that nice?