The State of Play
The UK formally left the EU on 31st January 2020. Since then, negotiations have been hampered by the effects of a global pandemic, which neither the EU nor UK had planned for during the transition period. Meanwhile, the Government has been hard at work throwing petrol onto the embers of Brexit speculation, as ministers hint at a divergence from EU privacy laws and a promise of an economy built on unlocking the UK data industry from restrictive regulation.
Understandably, none of this planning and posturing does anything to advance the case for the UK receiving adequacy status once the formal transition period ends on December 31st 2020; the European Data Protection Supervisor has warned both sides to “take steps to prepare for every eventuality” relating to the EU-UK adequacy agreement.
British Cabinet Office Minister, Michael Gove, on Friday, 12th June 2020, confirmed the UK will not seek an extension of the Brexit transition period beyond December 31. Indicating that the time for complacency is not now, and the transition clock continues to tick towards Brexit.
Fortune Favours the Prepared
As we move through the transition period very little has changed; EU law (including the GDPR) remains in force across the UK. At the end of the transition period the GDPR will be converted into UK law (“UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU.”), but it’s likely that the UK will find itself considered a third countryA country that is not part of the European Economic Area (EEA). for the purposes of the GDPR, which creates complications for organisations whose practices continue to leave them within the scope of this legislation.
Unfortunately, the UK simply being outside of the EU will not provide a haven from the obligations of the GDPR. Businesses that maintain operations within the EU, or continue to offer services or monitor the behaviour of data subjects within the EU will remain subject to the GDPR.
When the UK returns its keys to the EU clubhouse for the last time, organisations will finally be exposed to a post-Brexit UK and the potential complications that may follow. The key to preventing avoidable harm to business will be to understand the potential obligations still imposed by the GDPR and be aware of any new requirements that may arise.
Map the Road Ahead
Data is the engine that keeps most businesses running and although it’s always important to “pop the hood” regularly to ensure everything is running as expected, it has never been more true than now. As there is a potential for some personal dataInformation which relates to an identified or identifiable natural person. to be subject to different regulations and legal jurisdictions, it’s vital to know which rules apply to all or some of your data.
It is impossible to understand the impact of the various outcomes on an organisation without clearly understanding how personal data moves through the business. For those entities that are certain there will be no transfers of personal data outside of the UK, no services or monitoring directed at EU data subjects, and all activities will be UK based only, now’s the time to grab a coffee and put your feet up, while everyone else begins an in-depth analysis of their data flows.
Clearly mapping your data flows in and out of the UK, including accurate Records of Processing Activities (“RoPA”), assigning the correct lawful basis relied upon, and usage of processors (UK based or otherwise) is not only a key part of demonstrating accountabilityPerhaps the most important GDPR principle, which requires controllers to take responsibility for complying with the GDPR and, document their compliance. and being compliant with the law (both UK and EU), it is the single best way to start the discovery processA series of actions or steps taken in order to achieve a particular end. of what obligations an organisation will be subject to post-Brexit.
Understand Transfers
EU to the UK: If the UK is not be deemed adequate, organisations will not be able to receive personal data from the EU without a suitable safeguard in place. It is imperative that you understand exactly how data flows to and from your organisation and plan for implementing a suitable safeguard prior to the end of the transition period.
UK to the EU: This is likely to be a more straightforward affair as the current transferThe movement of data from one place to another. This could be, for example, from one data controller to another, or from one jurisdiction to another. of data from the UK to the EU will stay as it is. The UK declared that the EU will effectively be “adequate” for such purposes and data flows will continue uninterrupted, providing they comply with all applicable regulations. As there may be a divergence between UK and Member State laws, it’s sensible to keep an eye on how the legal sands shift over time and be ready to make any adjustments required. Clearly detailing each data flow in your RoPA will assist with this monitoring.
UK to Third CountriesCountries that are not part of the European Economic Area (EEA).: The early signs indicate that simplicity may prevail here too. The UK Government has stated its intention to recognise the jurisdictions considered adequate by the EU Commission as also being adequate to receive data from the UK. Privacy ShieldUS Certification scheme, now replaced by Data Privacy Framework. will continue in its present form, however US entities receiving such data under this safeguard will need to update their privacy noticeA clear, open and honest explanation of how an organisation processes personal data. accordingly. All indications are that the EU Model Clauses will continue as an effective safeguard for such transfers as well.
The validity of the Model Clauses is due to be assessed by the courts in July 2020, so knowing how any changes to this regime may affect your compliance is essential as we move towards the end of the transition period and into a post-Brexit UK.
Representation
If the outcome of your data mapping shows that it’s likely you will still be subject to the GDPR after the transition, you may need to appoint a representative within the EU to ensure compliance after the transition period. There may be the option to appoint an affiliate currently processing data within the EU, which could enable continued advantage of the “one stop shop” lead authority mechanism across the EU, or, if your EU processing is widespread, it may be necessary to plan how to manage communications across multiple jurisdictions and data protection authorities. The complexities of this matter are discussed further in our recent blog on international data transfers.
On the flip-side of this coin is the UK Government’s plan requiring non-UK controllers and processors, who are subject to compliance with the UK GDPR, to appoint a representative within the UK.
Open Discussions with Third Parties
The upshot of much of the discoveries made during any data mapping will be the need to plan for each eventuality and start conversations with any relevant suppliers or partners who will be involved in data transfers to or from the EU. There are a lot of questions to answer, and working in partnership with your opposite numbers is key:
Summary
There are a lot of competing issues facing every organisation in the UK right now, and there is little way of knowing what the final Brexit deal will look like. Despite these uncertainties, the transition countdown is ticking along relentlessly and when the clock strikes midnight CET for the last time in 2020, every organisation in the UK will need to be ready for whatever the post-Brexit landscape will be in 2021 and beyond.
The key steps to achieving this readiness will be born out of a well-planned and well-resourced road map to assess the requirements of the business, map the data and the risks that may arise, and execute any actions to ensure compliance with these new obligations. As any issue orbiting Brexit will continue to be a political maelstrom, monitor the Information Commissioner’s OfficeThe United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. advice for clarity, pay attention to the forthcoming judgements on the Model Clauses, and seek professional assistance if any doubt arises about the actions required.
The DPO Centre are experts in data mapping and can assist with your Brexit preparations. We provide consultancy, interim support and ongoing data protection officer services that will assist you to understand your data and the steps required to ensure compliant transfers.
Fill in your details below and we’ll get back to you as soon as possible