Just as everyone started preparing for the MDR, IVDR, and FDA changes, the UK medical research industry is bracing itself for yet another enormous paradigm shift. Data protection and data flow between the UK and EU as we know them are changing.
Any guesses on what it is? Hint: It starts with Britain and ends with Exit.
That’s right. Brexit is coming.
So, why should it matter to you and SaaS companies like us?
Data is constantly being captured, processed, and shared during clinical research. Be it medical documents, identifiable patient records, confidential industry information, or any other form of sensitive personal data, there are big questions about the impact of Brexit on data protection regulations. And by extension, the EU SaaS suppliers you are using during your clinical trials. Here are 5 essential steps you can take to assess if these SaaS suppliers fulfill the data protection requirements post-Brexit:
- Stay up to date and flexible
- Make a risk-impact assessment
- Set up a hard Brexit plan for the EU, UK, and US data flows
- Keep everyone in the loop
- Choose a compliant supplier
As far as unprecedented events go, Brexit is the frontrunner. It’s nearly impossible to fully anticipate the legal and commercial repercussions of Brexit. After consulting with the IAPP and ICO, the consensus is that you should:
- Await an official withdrawal agreement between the UK and the EU; or
- Prepare for a no-deal Brexit
As more information becomes available we can make more informed choices, but until then, let’s dive into the 5 steps to help you prepare for Brexit.
Step 1: Stay up to date and flexible
As Brexit deals are repeatedly being rejected, the terms of the final agreement are anyone’s guess. Any enterprise likely to be affected by Brexit is responsible for carefully monitoring the situation as it unfolds and maintaining a plan that is timely, responsive, and up-to-date with the latest events and projected outcomes. Organisations need to be able to respond to the terms of Brexit as they become apparent, even when they change. Any organisation with data protection responsibilities must be prepared for changes to the regulations surrounding data transfer between the UK and EU, whether that includes a transition period or not.
Step 2: Make a risk-impact assessment
The second stage of creating a robust Brexit plan is to reduce the risk of negative impact on the businesses and enterprises. Eduardo Ustaran, Partner at Hogan Lovells, gave a brilliant presentation named ‘Brexit is coming – are you ready?’ in which he warned the audience that information is key when it comes to anticipating and planning for the impact. Ustaran stressed that one of the few things we know for certain is that, irrespective of the form Brexit takes, there will be no adequacy decision. The European Commission’s adequacy decision would determine if a non-EU country such as the UK would have an adequate level of data protection for data flow between the UK and EU, post-Brexit. Even if the UK is to obtain a favourable adequacy decision for the processing of personal data from the European Commission, this can be a lengthy process. It is, therefore, not a commercially viable solution to wait years for an adequacy decision to be made by the European Commission. The best option for any organisation is to prepare for a worst-case scenario that reflects in the data protection regulations.
So, what exactly is the worst-case scenario? A ‘no-deal’ or ‘hard’ Brexit means that the UK would leave the European Union without a withdrawal agreement and transition period, and EU laws would not apply to the UK. This would have two important implications:
- GDPR will no longer apply and the UK Data Protection Act 2018 will come into full force.
- The ICO will lose their status as a recognised EU data protection authority, meaning a UK organisation with an establishment in the EU will have to select a lead data protection authority for their UK establishment and another for their EU establishment.
These are possible issues that can be anticipated, and a full assessment evaluating the impact of Brexit on all aspects of your business is essential. A comprehensive risk assessment plan will help identify, prepare, and mitigate the problems that can arise.
Step 3: Set up a hard Brexit plan for the EU, UK, and US data flows
The IAPP has released a No Deal Brexit plan for the transfer of personal data which contains some helpful guidelines. If you are established in the UK, transfer personal data outside the UK, and are thus considered a data controller in the UK, there are several steps you can follow to see where your organisation stands. Here’s the gist:
1. Do you process personal data from the UK to the US?
If yes, then transfer mechanisms are needed for the UK to the US data flows, but existing agreements such as Privacy Shield between the UK and the US will still apply. Review and modify your privacy policy to include the UK in addition to EEA countries to make sure you and your supplier’s Privacy Shield commitments and certifications are up to date. Ensure that your dispute resolution clause states that the applicable court is outside the UK in either the US or EU.
2. Do you process personal data from the UK to the EU?
Transfer mechanisms are needed for the UK to EU data flows and it will be up to the UK to determine the EU’s adequacy. According to the ICO, transfers from the UK to the EU are permitted for now but are subject to review. We recommend keeping an eye out on the ICO’s website for updates.
3. Do you process personal data from the EU to the UK?
Transfer mechanisms are needed for the EU to the UK data flows, especially in the case of hard Brexit since there will be no agreement between the EU and the UK for data flow adequacy. This means you need to treat the UK as a third country when checking Binding Corporate Rules or signing EU standard contracts.
4. Do you process personal data from the UK to the rest of the world?
Transfer mechanisms are needed for the transfer of data from the UK to the rest of the world, but existing arrangements will still apply. Check that you or your suppliers’ adequacy arrangements contain specific clauses for the UK and that all relevant certificates are up to date.
Step 4 – Keep everyone in the loop
Whenever changes are confirmed, the first priority is to share information and the new plans with all of the stakeholders, both internally and externally. Flexibility will be essential since informed commercial decisions can only be based on the best available information at that time. Make sure your legal counsel, privacy officer, or data protection officer keep your organisation up to date on the latest legal developments and help draft a communication plan for your organisation. Once you have an internal plan ready, communicate this to your customers. You can even publish a Brexit statement on your website for all of your customers to see.
Step 5 – Choose a compliant supplier
As a UK organization, choosing a new EU SaaS supplier can feel daunting in these uncertain times. Here is a checklist you can use when scoping out new suppliers:
1. Concentrate on the privacy adequacy of your supplier:
Where is my supplier located? Is my supplier subject to EU law or others? Where will the data be hosted?
For example, while evaluating an EU SaaS supplier with a sub-processor in the US, check whether they are Privacy Shield certified, whether you need to sign the EU Model Clauses or the Business Associate Agreement or whether Binding Corporate Rules apply.
2. Check, review, and scope whether they provide sufficient security measures:
Check the supplier’s website for their Security Statement and Privacy Policy to verify compliance. Have them reviewed and approved by your IT department and legal counsel to ensure that the supplier provides sufficient security measures—both technical and organisational—to safeguard your data.
For example, check if they have the necessary certifications for ISO27001, ISO9001, SOC II, etc.
3. Check whether they have thought about Brexit:
Enquire whether they can provide enough information showing how they plan to mitigate the risks and impact of Brexit.
For example, have they published a Brexit Statement on their website or can they provide a confirmation in writing about what they plan to do?
4. If you are processing sensitive personal data, check if the supplier can comply with the current UK law requirements:
Regulations surrounding the processing of sensitive personal data, such as health data, are already ensconced in UK law; find out what the requirements are and ask the supplier how they can meet them, including the Data Protection Act 2018, to ensure compliance.
5. Ensure efficient and proactive support:
Make sure that once the withdrawal deal is published or a no-deal Brexit is announced, that you have a contact person with your supplier to confirm that they are up to date with any legal and regulatory changes.
Conclusion
Here at Castor, we’re taking all the necessary steps to prepare for Brexit, and this means making sure there will be minimal impact on our business and customers. Until we’re sure how Brexit will affect our industry, the best thing we can do is map out the risks, create an action plan covering all foreseeable outcomes, and see how things develop. It’s important to remember that uncertainty does not have to be a negative thing, but can be transformed into a positive opportunity which can help a business grow. We are preparing to ensure a smooth transition throughout the Brexit negotiations and outcome. This means staying alert and flexible so we can react in a smart and positive way as events unfold. These 5 easy steps can help you negotiate a trouble-free Brexit, whatever happens.
Do you have other tips and tricks to help prepare for Brexit? Do you disagree with any of our opinions? Get in touch!