Background
Due to recent political developments, the likelihood of the UK leaving the EU without a deal is a real possibility. Therefore, in preparation, The DPO Centre is providing the following guidance to organisations in the UK.
Some of the main issues
1. Data “trapped” in the EU
In a ‘no-deal’ scenario, the UK will become what is known by the EU as a ‘3rd country’. This means that the EU will no longer consider the UK an ‘adequate country’ in respect to data protection. In this case, personal dataInformation which relates to an identified or identifiable natural person. will no longer be permitted to flow from the European Economic Area (EEA*) to the UK without implementing additional safeguardsWhen transferring personal data to a third country, organisations must put in place appropriate safeguards to ensure the protection of personal data. Organisations should ensure that data subjects' rights will be respected and that the data subject has access to redress if they don't, and that the GDPR principles will be adhered to whilst the personal data is in the... between the parties.
Dataflows from the UK to the EEA will continue as they do now, because the UK has already confirmed it will recognise all of the countries currently deemed ‘adequate’ by the EU.
In time, the UK will likely be awarded an adequacy decision, however in a no-deal scenario, this is highly unlikely in the short term, therefore further steps must be taken in order to legitimise transfers and remain complaint.
2. UK and EU data protection legislation could diverge
Upon Brexit, the EU GDPRRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data (General Data Protection Regulation). as it stands at the time of the UK’s departure, will become the UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU.. The UK Data Protection Act 2018The Data Protection Act 2018 is a United Kingdom Act of Parliament which updates data protection laws in the UK (and supersedes the Data Protection Act 1998), and implemented the GDPR into UK legislation. will then be updated to reflect this.
Any subsequent amendments to the EU GDPR, EU case law or EU regulator decisions, may or may not be recognised by the UK. The ultimate arbiter of the EU GDPR will remain the Court of Justice of the European UnionA Court interpreting EU law, ensuring it is applied in the same way in all EU countries, and settling legal disputes between national governments and EU institutions. The Courts ensure the correct interpretation and application of primary and secondary EU law within the EU. It consists of two courts: the Court of Justice and the General Court. (CJEU) whereas the UK GDPR will be adjudicated on by the UK Supreme Court and therefore interpretations of the same legislation may vary.
3. EU and UK representation
Article 27 of the GDPR requires organisations located outside of the EEA that do not have a physical presence within the EEA, but processA series of actions or steps taken in order to achieve a particular end. data on EU residents on a ‘large scale’ or process special category dataTypes of personal data listed in Article 9(1) GDPR that are considered sensitive and thus require extra protection. Article 9(1) lists data relating to: • racial or ethnic origin • political opinions • religious or philosophical beliefs • trade union membership • genetic data • biometric data • health • sex life • sexual orientation Where these types of personal... as referred to in Article 9 or 10, to appoint a Representative based within the EU.
Upon a hard Brexit this means UK organisations processing the personal data of EU residents will need to appoint a Representative in the EU. Similarly, non-UK organisations processing data on UK subjects will require a UK representative.
4. Binding Corporate RulesA series of data protection policies adhered to by companies established in the EU allowing for transfers of personal data outside the EU within a group of undertakings or enterprises. BCRs provide adequate safeguards when making restricted transfers within an international organisation if both sender and receiver has signed up to the BCRs. Guide to Binding Corporate Rules | ICO
If your organisation has implemented Binding Corporate Rules (BCRs) and the UK Information Commissioner’s OfficeThe United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. (ICOThe United Kingdom’s independent supervisory authority for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc.) is identified as the lead authority under the one-stop-shop, then on a Hard Brexit, this will no longer be recognised within the EEA.
Who is affected?
Upon a hard Brexit, potentially all UK organisations that transferThe movement of data from one place to another. This could be, for example, from one data controller to another, or from one jurisdiction to another. or receive data to or from the EU will be affected, regardless of whether they are data processorsThird parties processing personal data on behalf of a data controller. or a data controllersEntities (such as an organisation) which determine the purposes and means of the processing of personal data.. Some of the important considerations include:
More detailed consideration of the options available in the event of a hard Brexit
Given the uncertainties around the Brexit outcome, it is difficult to be definitive about whether an act now, or wait-and-see approach is the most relevant for your organisation.
If you want to avoid putting your organisation at risk by being unprepared; or be subject to increased pressure on resources in the period immediately after Brexit, then the necessary steps can be taken now. A further, more detailed discussion, about the options available is provided below.
Where personal data is being transferred to a data processorA third party processing personal data on behalf of a data controller. based within the EEA (such as cloud and SaaS platform providers), the onus is on them to ensure that the necessary safeguards are implemented. Due to the UK not being considered adequate, upon a hard Brexit, data will become ‘trapped’ within the EEA as it will no longer be lawful for these organisations to transfer data back to the UK without these additional safeguards in place.
It would therefore be prudent to be aware of which organisations that you currently transfer data to and from are located within the EEA. Ensure appropriate dialogue has been entered into with them regarding how they intend to comply with their obligations.
The steps required of you are to:
To avoid data being “trapped” in the EU:
You should
To comply with both the UK GDPR and the EU GDPR
You should
EU and UK Representation
You should
Post Brexit Representation from the DPO Centre
To provide our clients with the full range of Representation services post Brexit:
Given the current uncertainty over Brexit, our Representation service is provided based on a “No-Brexit-No-Fee” arrangement. This enables and appropriate service to be implemented, but it only becomes active and incurs fees upon an appropriate Brexit outcome.
Other International Data Transfers – Privacy Shield, Binding Corporate Rules and Standard Contractual Clauses.
Considerations and options for international data transfers include:
The problem with SCCs currently, is that they have not been approved for data transfers from an EEA based data processor, back to you in the UK. Therefore, we will need to identify from your data flows where these relationships exist and ensure that appropriate risk-based decisions are made, and the necessary due diligence conducted to ensure that data do not become ‘trapped’ within the EEA.
There are also some legal questions relating to the validity/suitability of SCCs that have yet to be answered by the EU Courts. A ruling is due soon, as is an update to SCCs, however they remain the most appropriate mechanism for legitimising transfers.
Confirm, if you have implemented Binding Corporate Rules (BCRs), if the UK Information Commissioner’s Office (ICO) is identified as the lead authority under the one-stop-shop.
How The DPO Centre can help
If you would like to know more about how Brexit may affect your organisation from a data protection perspective and how an action plan can be put in place to ensure you are prepared then please contact us directly.