GDPR & Brexit: What Next?Feb 27, 2019
In early 2018 the General Data Protection Regulation (GDPR) was amongst one of the hottest topics (I should know, I covered it enough times!). It’s safe to say that BREXIT has now trumped this and takes the league. But it’s important that they are considered in parallel. After all, the GDPR is a European directive and its aim was to harmonise data privacy laws across Europe, so how will it apply to the UK if we leave the EU and leave with no deal? How should you prepare for such scenarios?
Currently in the UK, the Data Protection Act 2018 and the GDPR provide us with a comprehensive data protection framework. Under GDPR rules, organisations are only permitted to transfer personal data outside the EU if there is a legal basis for doing so.
If the UK leaves the EU next month without an agreement in place regarding data protection arrangements, then there would be no immediate change in our data protection standards. At this point the EU Withdrawal Act would kick in and incorporate the GDPR into the UK law to sit alongside it.
However, the legal framework governing transfers of personal data from organisations (or subsidiaries) established in the EU to organisations established in the UK would change on exit. So, you will need to actively take steps to ensure that EU organisations can continue to send you personal data here in the UK.
Considering the efforts (and mere length of time) that it has taken for the UK to align with the EU’s data protection regimes, the UK government has confirmed that, on the UK’s exit from the EU, transfers of data from the UK to the EEA will be permitted (subject to review of course).
If we do leave the EU (and there is no deal), and you wish to continue to receive personal data from the EEA then these will be deemed “restricted transfers”, in which case you will be required to have an “adequacy decision” or appropriate transfer safeguards in place for any personal data that you receive from the EEA (or an exception may apply under certain circumstances).
An adequacy decision is made by the European Commission and allows restricted transfers from the EEA to a non-EU country (which could of course be us in due course). However, no adequacy decision is in place yet for the UK. If the European Commission does not make such a decision in respect of the UK at the point of exit and you want to receive personal data from organisations established in the EU then you should consider assisting your EU partners in identifying a legal basis for those transfers. The ICO will keep us updated as to any plans by the UK Government and European Commission regarding an adequacy decision. If there is no European Commission adequacy decision in respect of the UK, but the EEA sender has put in place one of the EU GDPR list of appropriate safeguards, the EEA sender will be able to make the transfer to you.
It is advisable that you proactively consider what action you may need to take to ensure the continued free flow of data with EU partners.
In certain circumstances, your EU partners may alternatively be able to rely on an EU GDPR exception to transfer personal data (such as explicit consent from the data subject) or you may already have Binding Corporate Rules in place. However, for the majority of organisations the most convenient appropriate safeguard would be standard contractual clauses. These are model data protection clauses that have been approved by the European Commission and enable the free flow of personal data when embedded in a contract. The clauses contain contractual obligations on you and your EU partner, and rights for the individuals whose personal data is transferred.
The ICO have helpfully released a “contract builder” which helps businesses in the UK to produce a set of GDPR compliant standard contractual clauses to allow lawful transfer of personal data from the EEA to the UK in the event that we leave the EU and there is no deal: https://ico.org.uk/for-organisations/data-protection-and-brexit/controller-to-processor-contract-builder/
On another note, the ICO have also advised that if you are based in the UK, and not in any other EU or EEA state, but you offer goods or services to individuals in the EEA, then to comply with the EU regime you will need to appoint a suitable representative in the EEA. This person will act as your local representative with individuals and data protection authorities in the EEA. This is separate from your DPO obligations, and your representative cannot be your DPO or one of your processors.
With the above in mind, businesses can take the following steps to prepare for a no-deal Brexit:
- Continue to comply – continue applying GDPR standards and follow ICO guidance.
- Identify what processing activities involve the transfer of personal data between the UK and EEA (i.e. information that is shared with a service centre, cloud provider or service provider).
- Prepare to have an appropriate data transfer mechanism in place for 30 March 2019 – review and update contracts where necessary.
- Update internal GDPR documentation – this includes records of processing.
- Consider if your Privacy Notices need updating.
- You should ensure those that need to know are kept informed and are made aware of these key issues. Make sure you keep up to date with the latest information and guidance.