Due to recent political developments, the likelihood of the UK leaving the EU without a deal is a real possibility. Therefore, in preparation, The DPO Centre is providing the following guidance to organisations in the UK.
Some of the main issues
In a ‘no-deal’ scenario, the UK will become what is known by the EU as a ‘3rd country’. This means that the EU will no longer consider the UK an ‘adequate country’ in respect to data protection. In this case, personal data will no longer be permitted to flow from the European Economic Area (EEA*) to the UK without implementing additional safeguards between the parties.
Dataflows from the UK to the EEA will continue as they do now, because the UK has already confirmed it will recognise all of the countries currently deemed ‘adequate’ by the EU.
In time, the UK will likely be awarded an adequacy decision, however in a no-deal scenario, this is highly unlikely in the short term, therefore further steps must be taken in order to legitimise transfers and remain complaint.
Upon Brexit, the EU GDPR as it stands at the time of the UK’s departure, will become the UK GDPR. The UK Data Protection Act 2018 will then be updated to reflect this.
Any subsequent amendments to the EU GDPR, EU case law or EU regulator decisions, may or may not be recognised by the UK. The ultimate arbiter of the EU GDPR will remain the Court of Justice of the European Union (CJEU) whereas the UK GDPR will be adjudicated on by the UK Supreme Court and therefore interpretations of the same legislation may vary.
Article 27 of the GDPR requires organisations located outside of the EEA that do not have a physical presence within the EEA, but process data on EU residents on a ‘large scale’ or process special category data as referred to in Article 9 or 10, to appoint a Representative based within the EU.
Upon a hard Brexit this means UK organisations processing the personal data of EU residents will need to appoint a Representative in the EU. Similarly, non-UK organisations processing data on UK subjects will require a UK representative.
If your organisation has implemented Binding Corporate Rules (BCRs) and the UK Information Commissioner’s Office (ICO) is identified as the lead authority under the one-stop-shop, then on a Hard Brexit, this will no longer be recognised within the EEA.
Who is affected?
Upon a hard Brexit, potentially all UK organisations that transfer or receive data to or from the EU will be affected, regardless of whether they are data processors or a data controllers. Some of the important considerations include:
More detailed consideration of the options available in the event of a hard Brexit
Given the uncertainties around the Brexit outcome, it is difficult to be definitive about whether an act now, or wait-and-see approach is the most relevant for your organsisation.
If you want to avoid putting your organisation at risk by being unprepared; or be subject to increased pressure on resources in the period immediately after Brexit, then the necessary steps can be taken now. A further, more detailed discussion, about the options available is provided below.
Where personal data is being transferred to a data processor based within the EEA (such as cloud and SaaS platform providers), the onus is on them to ensure that the necessary safeguards are implemented. Due to the UK not being considered adequate, upon a hard Brexit, data will become ‘trapped’ within the EEA as it will no longer be lawful for these organisations to transfer data back to the UK without these additional safeguards in place.
It would therefore be prudent to be aware of which organisations that you currently transfer data to and from are located within the EEA. Ensure appropriate dialogue has been entered into with them regarding how they intend to comply with their obligations.
The steps required of you are to:
To avoid data being “trapped” in the EU:
To comply with both the UK GDPR and the EU GDPR
EU and UK Representation
Post Brexit Representation from the DPO Centre
To provide our clients with the full range of Representation services post Brexit:
Given the current uncertainty over Brexit, our Representation service is provided based on a “No-Brexit-No-Fee” arrangement. This enables and appropriate service to be implemented, but it only becomes active and incurs fees upon an appropriate Brexit outcome.
Other International Data Transfers – Privacy Shield, Binding Corporate Rules and Standard Contractual Clauses.
Considerations and options for international data transfers include:
The problem with SCCs currently therefore, is that they have not been approved for data transfers from an EEA based data processor, back to you in the UK. Therefore, we will need to identify from your data flows where these relationships exist and ensure that appropriate risk-based decisions are made, and the necessary due diligence conducted to ensure that data do not become ‘trapped’ within the EEA.
There are also some legal questions relating to the validity/suitability of SCCs that have yet to be answered by the EU Courts. A ruling is due soon, as is an update to SCCs, however they remain the most appropriate mechanism for legitimising transfers.
Confirm, if you have implemented Binding Corporate Rules (BCRs), if the UK Information Commissioner’s Office (ICO) is identified as the lead authority under the one-stop-shop.
How The DPO Centre can help
If you would like to know more about how Brexit may affect your organisation from a data protection perspective and how an action plan can be put in place to ensure your are prepared then please contact us directly.