Due to recent political developments, the likelihood of the UK leaving the EU without a deal is a real possibility. Therefore, in preparation, The DPO Centre is providing the following guidance to organisations in the UK.
Some of the main issues
1. Data “trapped” in the EU
In a ‘no-deal’ scenario, the UK will become what is known by the EU as a ‘3rd country’. This means that the EU will no longer consider the UK an ‘adequate country’ in respect to data protection. In this case, Information which relates to an identified or identifiable natural person.... will no longer be permitted to flow from the European Economic Area (EEA*) to the UK without implementing additional safeguards between the parties.
Dataflows from the UK to the EEA will continue as they do now, because the UK has already confirmed it will recognise all of the countries currently deemed ‘adequate’ by the EU.
In time, the UK will likely be awarded an adequacy decision, however in a no-deal scenario, this is highly unlikely in the short term, therefore further steps must be taken in order to legitimise transfers and remain complaint.
2. UK and EU data protection legislation could diverge
Upon Brexit, the EU GDPR as it stands at the time of the UK’s departure, will become the UK GDPR. The UK The Data Protection Act 2018 is a United Kingdom Act of Parliament which updates data protection laws in the UK (and supersedes the Data Protection Act 1998).... will then be updated to reflect this.
Any subsequent amendments to the EU GDPR, EU case law or EU regulator decisions, may or may not be recognised by the UK. The ultimate arbiter of the EU GDPR will remain the A Court interpreting EU law, ensuring it is applied in the same way in all EU countries, and settling legal disputes between national governments and EU institutions.... (CJEU) whereas the UK GDPR will be adjudicated on by the UK Supreme Court and therefore interpretations of the same legislation may vary.
3. EU and UK representation
Article 27 of the GDPR requires organisations located outside of the EEA that do not have a physical presence within the EEA, but A series of actions or steps taken in order to achieve a particular end.... data on EU residents on a ‘large scale’ or process Personal data which requires more protection because it is sensitive in nature. GDPR defines special category data as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, and data concerning health, a person's sex life, or sexual orientation.... as referred to in Article 9 or 10, to appoint a Representative based within the EU.
Upon a hard Brexit this means UK organisations processing the personal data of EU residents will need to appoint a Representative in the EU. Similarly, non-UK organisations processing data on UK subjects will require a UK representative.
4. A series of data protection policies adhered to by companies established in the EU allowing for transfers of personal data outside the EU within a group of undertakings or enterprises....
If your organisation has implemented Binding Corporate Rules (BCRs) and the UK The United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc.... (ICO) is identified as the lead authority under the one-stop-shop, then on a Hard Brexit, this will no longer be recognised within the EEA.
Who is affected?
Upon a hard Brexit, potentially all UK organisations that The movement of data from one place to another, this could be, for example, from one data controller to another, or from one jurisdiction to another.... or receive data to or from the EU will be affected, regardless of whether they are data processors or a data controllers. Some of the important considerations include:
More detailed consideration of the options available in the event of a hard Brexit
Given the uncertainties around the Brexit outcome, it is difficult to be definitive about whether an act now, or wait-and-see approach is the most relevant for your organisation.
If you want to avoid putting your organisation at risk by being unprepared; or be subject to increased pressure on resources in the period immediately after Brexit, then the necessary steps can be taken now. A further, more detailed discussion, about the options available is provided below.
Where personal data is being transferred to a data processor based within the EEA (such as cloud and SaaS platform providers), the onus is on them to ensure that the necessary safeguards are implemented. Due to the UK not being considered adequate, upon a hard Brexit, data will become ‘trapped’ within the EEA as it will no longer be lawful for these organisations to transfer data back to the UK without these additional safeguards in place.
It would therefore be prudent to be aware of which organisations that you currently transfer data to and from are located within the EEA. Ensure appropriate dialogue has been entered into with them regarding how they intend to comply with their obligations.
The steps required of you are to:
To avoid data being “trapped” in the EU:
To comply with both the UK GDPR and the EU GDPR
EU and UK Representation
Post Brexit Representation from the DPO Centre
To provide our clients with the full range of Representation services post Brexit:
Given the current uncertainty over Brexit, our Representation service is provided based on a “No-Brexit-No-Fee” arrangement. This enables and appropriate service to be implemented, but it only becomes active and incurs fees upon an appropriate Brexit outcome.
Other International Data Transfers – Privacy Shield, Binding Corporate Rules and Standard Contractual Clauses.
Considerations and options for international data transfers include:
The problem with SCCs currently, is that they have not been approved for data transfers from an EEA based data processor, back to you in the UK. Therefore, we will need to identify from your data flows where these relationships exist and ensure that appropriate Making choices of action (or inaction) based around the likelihood and impact of certain incidents occurring.... are made, and the necessary due diligence conducted to ensure that data do not become ‘trapped’ within the EEA.
There are also some legal questions relating to the validity/suitability of SCCs that have yet to be answered by the EU Courts. A ruling is due soon, as is an update to SCCs, however they remain the most appropriate mechanism for legitimising transfers.
Confirm, if you have implemented Binding Corporate Rules (BCRs), if the UK Information Commissioner’s Office (ICO) is identified as the lead authority under the one-stop-shop.
How The DPO Centre can help
If you would like to know more about how Brexit may affect your organisation from a data protection perspective and how an action plan can be put in place to ensure you are prepared then please contact us directly.