Brexit is bringing a plethora of uncertainties to businesses around the UK. With the new deal agreed between the UK and the rest of the European Union, there is one intangible asset still not properly addressed… data! With what’s called a “bridging period” in place for the time being, what does that mean for HubSpot users in the UK? Read on for our take.
Previously, data travelled freely without barriers or fees between the UK and the rest of the EU. As you can imagine, this made trade easy for businesses that rely on transferring information about their customers to sell goods and services, especially within digital industries like technology, telecoms, and digital marketing.
The UK had been part of the mutually agreed General Data Protection Regulation (GDPR), which came into force in 2018, covering EU members with the world’s most stringent data protection rules. This meant that personal information gathered in other GDPR-protected countries could enter the UK with no barriers, as it was assured that data would be equally protected in the country.
The UK's Data Protection Act 2018 supplements GDPR and, in some scenarios, goes slightly further, making the UK’s data protection rules more stringent in some specific cases. This means that deal or no deal, the Data Protection Act will ensure that personal information processed in the UK enjoys the same, strict level of data protection they do now.
However, now, under the new EU law, the UK is automatically considered a “third country” thus not bound by GDPR rules, and able to diverge from those standards if parliament so decides. Consequently, this has meant that the UK is deemed a nation with which the European Union has no specific agreement, raising the concern that data from EU countries will not be able to flow freely to the UK.
This uncertainty around data in the deal can likely affect UK HubSpot users, as all customer data is processed and secured in the EU before being transmitted and stored in the US.
HubSpot’s product infrastructure is hosted on Amazon Web Services (AWS) in the United States East region, but before it gets there, HubSpot processes data in the Google Cloud Platform (GCP) in Frankfurt, Germany. This includes leads, email events, and analytics.
By hosting these services in both AWS in the US and GCP in Germany, HubSpot has increased performance and reliability of those services by locating them closer to end users in the EU, a huge geographical sector for HubSpot.
This means that if you are a UK HubSpot customer, your data is being sent between the UK and EU at every moment of every day in two ways:
In the event of this new deal, these two scenarios are treated differently:
The positive news is that the UK ICO has deemed the EU’s data protection laws to be ‘adequate and efficient’. Consequently, transferring data from the UK to the EU will be unaffected.
To enable the free flow of data between companies and individuals located inside and outside of the EU, a mechanism called ‘an adequacy decision’ will need to be implemented. An adequacy decision decides whether a third country is deemed adequate by the European Commission that personal data is allowed to be transferred to that country without any additional safeguards required.
This may sound like a big ask, but abiding by adequacy decisions are no stranger to the UK. The UK has them in over 42 countries in and out of the EU, such as Argentina, Canada, Israel, Japan, New Zealand, Switzerland and Uruguay. Thankfully, the vast majority of the 12 EU adequate countries have stated that they will continue to allow data transfers to be uninterrupted to the UK after 31 December 2020.
At the moment, a bridging period of up to six months has been agreed to ratify a data adequacy agreement. This means that until then, UK HubSpot users can rest assured that data will continue to flow freely between the UK and EU. This period will also give the UK government a chance to work with the sector to finalise any new tools or regulatory measures for UK companies in order to complement a data adequacy agreement.
Although there is no guarantee that the EU will grant us an adequacy decision at all, we should remain confident that the data protection standards we hold, paired with the many adequacy agreements we have with countries around the world, will give us a strong leg to stand on when we get round to signing one.