If you are located in the United Kingdom (UK), then you may already be familiar with Operation Yellowhammer and its relationship to Brexit and the European Union (EU).
For those of you that haven’t been briefed on Operation Yellowhammer and how it relates to Brexit, now is the perfect time to learn how this newsworthy code name could possibly affect you and your data transfers.
After the vote on June 23, 2016 resulted in the decision to have the UK leave the EU, Brexit (a combination of "British" and "exit") was official. The UK was slated to make its final exit on March 29, 2019. However, that date was extended to the forthcoming October 31, 2019.
The withdrawal from the EU has sparked a lot of controversy, especially as of late due to the leak of confidential information, a dossier called Operation Yellowhammer. Its existence was first revealed in September of 2018, but in mid-August 2019, the full report was leaked in full and published by The Sunday Times.
Operation Yellowhammer is the code name for a government dossier that outlines some of the possible, potentially dire outcomes of a no-deal Brexit. Before Brexit can become truly official, a deal needs to be put in place between the UK and the EU. This deal will need to address key issues like the Irish border, financial transfers, the rights of EU-UK citizens, and more.
Although the date is getting closer, a deal has not been agreed upon yet. Prime Minister Boris Johnson has vowed that Britain will leave the EU on October 31, with or without a deal in place. Although hopeful to leave with a deal in agreement, the possibility of a no-deal Brexit is increasing in likelihood. Because a potential no-deal Brexit shouldn’t be discounted, Operation Yellowhammer was created by the government in the case the unfortunate scenario occurs.
It’s feared that a no-deal Brexit will hit the British economy hard and disrupt numerous aspects of day-to-day life. Operation Yellowhammer covers "12 areas of risk," such as the movement of goods, healthcare, and transportation. There are also three risks common to all areas.
According to The Sunday Times, Operation Yellowhammer outlines the potential dire impacts a no-deal Brexit will cause for those in the UK.
The 12 areas of risk are:
Risks common to all areas:
When Brexit occurs and the UK separates from the EU, it will be considered thereafter as a "third country." This means that the UK will be considered outside of the EU’s current data protection laws. As a result of this, the transfer of personal data may be restricted or subject to additional safeguarding to ensure that the data receives the same adequate level of protection outside the EU, as it would have received before Brexit.
When the UK exits the EU, the General Data Protection Regulations (GDPR) for EU and European Economic Area (EEA) citizens will no longer be law in the UK, although the vast majority of the GDPR is still set to be incorporated into UK law (UK GDPR) regardless of the outcome of deal or no-deal. The two sides would then need to negotiate a deal to decide how data will flow between them.
The EU will need to determine if the UK’s data privacy laws are adequate and should be allowed to process data. This is known as an adequacy deal. In the event of a no-deal withdrawal, an adequacy assessment could take years.
The event of leaving the EU in a no-deal Brexit scenario and the likely prospect of impactful disruption to the transfer of personal data could absolutely be significant. It could particularly be detrimental for businesses that rely on data transfers for their day-to-day operations. A no-deal Brexit will affect every business that sends or receives personal data to anywhere in the EEA or US. This even includes situations where a business may use a service (like hosting for their webpage, emails, or storage) that stores data on servers located in the US or Europe.
As businesses within the UK have previously relied on the EU-US privacy shield to transfer data, upon a no-deal, Brexit UK businesses won’t be part of the EU and won’t be allowed to transfer data to the US using the widely popular existing mechanism. This hassle of making adjustments and changes may make EU-based businesses more attractive over an UK-based business.
In the event of a no-deal Brexit, with no agreed upon arrangements covering data protection, the government has advised organizations to prepare accordingly to ensure any transfer of EU citizens’ personal data to the UK is indeed compliant with privacy laws.
It’s a good start for UK businesses to review their data flows and make the necessary amendments to all contracts with vendors that involve the transfer of personal data outside the UK to the US and EU. Inserting Model Clauses can allow UK businesses to continue operating legally in the event of a no-deal Brexit.
Businesses who fail to take the correct steps could potentially face substantial fines in the event of a no-deal Brexit where the adequate safeguards (Model Clauses) are not implemented.
Although businesses would have to bear the brunt of the expensive resources required to make these changes, these kind of practical steps to prepare for the eventuality of a no-deal Brexit can help to ensure they are not restricted from transferring or receiving personal data from outside the UK.
GoAnywhere MFT, a managed file transfer solution that automates and secures files transfers, is GDPR compliant and would be an ideal and next practical step in order to help ensure your file transfers can still go off without a hitch in a no-deal scenario.
If a deal can be reached before October 31, organizations within the UK will have a transition period where data flow will not change while the new agreement is put into place.
However, if you’re feeling superstitious, GoAnywhere MFT may just be the perfect potion. It will secure, automate, and audit your file transfers to assist your organization in meeting key GDPR principles.