Frequently Asked Questions
1. What are the key areas of risk assessment that Advanced has carried out in the context of Brexit?
Advanced has assessed the impact of the following scenarios on our ability to provide contracted services to our customers:
- Lack of trade deal between the UK and EU (import /export)
- Citizen movement restrictions (restriction of movement of citizens between the EU and UK)
- Lack of data protection adequacy agreement (failure to confirm that Data Protection Act (DPA) 2018 is ‘adequate’ for compliance with EU GDPR and vice-versa)
2. What are the main risks to Advanced, and potential impacts of Brexit, particularly if a negotiated trade deal is not agreed?
Risks related to GDPR: From the perspective of compliance, the main identified risk is that our current reliance on UK legislation to safeguard personal data processing will be removed. This will lead to a lack of authority for Advanced and its UK based suppliers to process EU data subjects’ personal data in the UK.
As our data centres are based in the UK, all those customers, irrespective of their geographical location, which process EU data subjects’ personal data would need to review and implement a lawful basis of sharing their data with Advanced and inform the data subjects of the associated processing activities.
In addition, customers based in EEA would need to implement appropriate safeguards for transferring data to Advanced in the UK. The appropriate safeguards include measures prescribed in Article 46 of GDPR, for example, Standard Contractual Clauses.
Risks related to DPA 2018: DPA 2018 considers EEA to be providing adequate safeguard to personal data and there will be no restrictions on data flow from UK to EEA. Hence, there is no risk involved where Advanced provides services to:
- UK-based businesses that do not process personal data of data subjects based in the EEA
- Customers who transfer personal data from UK to EEA, either directly or via Advanced
We have not identified any other risks, apart from those stated above, in relation to the services we provide to customers.
3. What interactions have Advanced had with your supply chain (if applicable) to consider risks and impacts of the end of the transition period?
Advanced initiated an exercise to obtain a level of assurance from our suppliers that services can, and will continue to be provided in accordance with any contractual agreements, and if not, that measures have been identified by Advanced to ensure the continued operation of our business, and of our contractual obligations to our customers.
For those suppliers that are involved in the delivery of services to customers, contracts will be reviewed / updated to reflect the legislative changes due to Brexit. If required, additional safeguards, as prescribed in the GDPR and DPA 2018, will be implemented for data transfers from EEA to UK or other non-EEA locations and vice-versa.
4. What risk mitigations will be in place to ensure continuity of service to Advanced’s customers post Brexit?
The key steps that we are undertaking to ensure maintained compliance with both EU GDPR and DPA 2018 are:
- Reviewing and updating customer contracts
- Reviewing and updating our privacy policies
- Updating our data protection registration(s) with the relevant Supervisory Authorities
- Updating our Breach Notification process
- Reviewing our Register of Processing Activities and any cross-border transfers of data
- Employing Binding Corporate Rules (BCR) to ensure global, cross-organisational compliance with both EU GDPR and DPA 2018. These BCRs will be approved by the relevant Supervisory Authorities based in the UK and EEA.
- Signing Standard Contractual Clauses with EEA-based customers, where applicable