After Theresa May’s Brexit deal was voted down in a historic defeat, we discuss how a ‘no-deal’ outcome could impact data transfers. The UK Government has always stated that the GDPR will be incorporated into UK Law alongside the UK Data Protection Act 2018 [i] (DPA 2018), and that no significant changes would be necessary. However a ‘no-deal’ Brexit scenario could cause a number of impacts, specifically in regards to the transfer of personal data between the EEA and the UK.
Transfers on the basis of Adequacy
The UK government is seeking an ‘adequacy agreement’ that recognises our data protection governance practices as being equivalent to those in the EU. Therefore, this would allow data transfers between the UK and EEA without the adoption of any additional controls or measures.
However, it is very likely that an ‘adequacy agreement’ will not be in place before we leave the EU and that there will be an indeterminate period of time to complete this. In the meantime, organisations need to review their personal data transfer mechanisms in order to continue processing the data. Failure to do so could have a negative impact upon business operations.
Representatives
The UK ICO only has jurisdiction in the UK and consequently UK businesses operating within the EEA. That’s businesses that provide goods or services to individuals, or who monitor the behaviour of individuals in the EEA. They must appoint an EEA based ‘Representative’ in order to comply with both the UK DPA 2018 and the GDPR.
Businesses based solely in the UK who offer goods or services to individuals in the EEA, or monitor their behaviour, will need to appoint an EEA representative.
A ‘Representative’ cannot be your DPO or a data processor engaged by you.
Furthermore, organisations conducting business operations across EEA should identify a ‘lead authority’. This will avoid having to deal with every country in the EEA in the event of a personal data dispute or breach. The lack of a lead authority could have a significant business impact upon an organisations’ resources and ability to process enquiries from the various authorities. A list of the EEA’s Data Protection Authorities can be found via the link at [3] below.
Data Protection Officer
Organisations may need to review and assess where their DPO is situated. Whether UK or EU based, they can continue in the role provided they have expert knowledge of both UK and EU data protection law and can be “easily accessible” from both locations.
Personal Data Flows & Exchanges
Organisations have worked diligently to realign data processing activities to address requirements defined in the GDPR and the DPA 2018; this work must continue. A cornerstone of the GDPR is to determine the flow and types of data as well as the safeguards associated with the personal data being exchanged.
From a UK government perspective, personal data transfers to the EEA from the UK will not be restricted. This means organisations can continue to send such data without additional requirements. It remains to be seen if the EEA will support this view post-Brexit.
Where organisations receive data from parties in the EEA, the sender is responsible to comply with the GDPR transfer provisions, ensuring that adequate safeguards are in place. This may mean that UK-based organisations will receive and be required to respond to additional data processing questionnaires from EEA-based third parties before data transfers are permitted to continue.
Multinational organisations with existing Binding Corporate Rules (BCRs) that cover the EEA (including the UK) will need to be refreshed to show the UK as a third country. BCR’s are likely to still permit the transfer of personal data from the EEA to the UK – however this is subject to confirmation from the EDPB [ii]
It is expected that the UK government will confirm that transfers to countries and territories outside the EEA will reflect existing provisions under BCR’s or Standard Contractual Clauses (SCCs).
Organisations must ensure they have adequately identified where they transfer personal data from the UK to countries both within and outside the EEA as these will fall under revised transfer provisions and documentation requirements. The UK government is expected to confirm existing arrangements will be honoured.
Privacy Notices
Organisations will likely have to make changes to their Privacy Notices to reflect how you process international transfers between the UK and the EEA, and other countries post-Brexit.
Such changes will need to reflect the UK DPA 2018 and UK terminology where you are reliant upon UK law.
Data Protection Impact Assessments
There may be a need for data protection impact assessments (DPIA) to be undertaken on the transfer mechanisms and processes between your business and entities in the EEA if these have not already been conducted. These need to be undertaken without undue delay in order that required changes can be effected prior to the UK leaving the EU.
Conclusions
There is still much uncertainty regarding Brexit and its implications to UK businesses.
Consideration of a ‘No Deal’ option have taken a step forward in recent weeks, and whilst this may be brinkmanship on behalf of the parties there is a growing need for organisations to prepare for and consider their options and requirements for this becoming a reality.
Alignment to the GDPR will keep our businesses closer to the EU’s requirements, but there are differences that need to be addressed.
It is important for the continuity of business operations that considerations and preparations are made in advance, particularly for organisations that have significant European operations and flows of personal data.
Whilst Brexit itself, or aspects of it, may already be incorporated in your business risk register, having a separate line item relating specifically to ‘data transfers’ is advisable.
If your organisation requires further advice or guidance, please contact us for more information.
References
[1] – UK Data Protection Act – http://www.legislation.gov.uk/ukpga/2018/12/contents/enacted
[2] – European Data Protection Board (EDPB) – https://edpb.europa.eu/
[3] – List and contact details of EU Data Protection Authorities – https://edpb.europa.eu/about-edpb/board/members_en
Disclaimer
This information and guidance are the views and interpretations of Information Risk Management Ltd, it does not constitute legal advice. It is provided with the best of intentions to help organisations achieve their business objectives whilst meeting the requirements of the EU General Data Protection Regulation (Regulation (EU) 2016/679 – April 2016), and the UK Data Protection Act 2018.