To BREXIT and Beyond!

Thinking about what Brexit means for data protection.

For many UK businesses it will mean dealing with extra regulatory issues and businesses need to be prepared. There will be data protection challenges posed by a no deal Brexit and as a business you need to consider how you are going to deal with these issues, do you have the solutions ready that you will need to implement to help you keep personal data flowing with Europe (the EEA) after Brexit. (The EEA is the EU plus Iceland, Norway and Liechtenstein.)

The Legal Stuff

Firstly, the GPDR will continue to apply, as will the Data Protection Act 2018, after Brexit the government plans to incorporate the GDPR into UK law and in fact If you are a UK business or organisation that already complies with the GDPR and has no contacts or customers in the EEA, you do not need to do much more to prepare for data protection compliance after Brexit. However, if you are a business that regularly transfers personal data between the UK and the EU then you need ensure that this can continue to happen.

Data Transfers

As you will know, presently data can be transferred freely between the UK and the EEA however after a no deal Brexit this won’t be the case you will need to take extra steps to ensure that personal data can continue to flow after Brexit, such transfers would become subject to restrictions, at least in relation to transfers from the EEA to the UK.

Data Transfer from the UK to the EEA

Data transfers from the UK to the EEA can continue, Britain has said that this data can continue to flow freely with no restrictions, therefore you can CONTINUE to transfer data from the UK to the EEA.

Data Transfers from the EEA to the UK

Following a no deal Brexit rules on data transfer as set out in the GDPR will come into play. This means that the UK in data transfer terms will become a ‘3rd Country’ meaning that organisations within the EEA wishing to transfer data to the UK would have to have a legal transfer mechanism in place.

The simplest way to do this is to have an ‘adequacy decision’. what does this mean?

‘An adequacy decision permits a cross-border data transfer outside the EU, or onward transfer from or to a party outside the EU without further authorisation from a national supervisory authority (Article 45(1), GDPR).’

This means that data could continue to be transferred freely. The UK government was hoping that an adequacy decision in relation to the UK would be in place immediately following Brexit. However, this is not to be as the EU Commission has insisted that it will not start the adequacy decision process for the UK until it has formally left the EU.

So where does this leave us?

Well it means that we will need to rely other means as set out in the GDPR. The mechanism that it assumed that most SMEs will use is ‘SCCs’ – ‘Standard Contract Clauses’. SCCs are not the only mechanism and if you are a large organisation and are receiving the data from within that group, you may not need SCCs if your group has approved Binding Corporate rules.

What are SCCs?

SCCs are standard sets of contractual terms and conditions which the sender and the receiver of personal data both sign up to. SCCs are easy to use and virtually remove the need of negotiating individual contractual terms. These EC-approved data protection clauses, often known as model clauses, need to be embedded within contracts (without any changes), or added as an appendix to an existing contract.

EU Representative

For some organisations they will have to appoint an EU representative Article 27 of the GDPR. If you have an office, branch or other established presence in the EEA, or if you have customers in the EEA, you will need to comply with both UK and EU data protection regulations after Brexit.

You may need to designate a representative in the EEA. Organisations must appoint an “EU representative” if they are based outside the EU and monitor the behaviour of, or provide goods or services to, EU residents. You may also have to update your lead supervisory authority.

Review Your Policies and Procedures

At present, UK organisations have written their GDPR compliance documentation from the perspective of the UK being a member the EU. However, when we leave the EU these may need to be updated.

Privacy Shield

For businesses in the US who rely on Privacy Shield - EU-US Privacy Shield, you will need to stay updated on how this progresses as after Brexit the UK will not be part of this arrangement. Your questions answered.

https://www.privacyshield.gov/article?id=Privacy-Shield-and-the-UK-FAQs

Conclusion

If the UK leaves the EU without a deal then there will be implications for the transfer of data, where possible organisations should prepare for both outcomes no deal and deal with transition period. You should ensure that you are following current legislation but do understand the impact on your business that Brexit could bring. As always record your decisions and be able to justify your reasons for what you do.

If the UK leaves the EU with a deal and a transition period - that’s another article!