Brexit is probably a more unwelcome word than “GDPR” was last year. Put the two together and you instantly lose the attention of most people.
That head-in-the-sand approach is very dangerous, however, as Brexit will have serious implications for your business, whatever the outcome – deal, or no deal.
Contrary to the belief of many, the UK’s exit from the EU
does not signal the end of GDPR for us.
Instead, the data protection framework will be incorporated into the Withdrawal Act Bill and be known as the UK GDPR, or Data Protection Act 2018.
Therefore, your business must continue demonstrating its compliance with the legislation beyond Brexit.
There are two potential scenarios of Brexit – deal or no deal – and several potential categories your business may fall into depending on how it uses personal data, so it is a complex area.
What could the scenario be?
No Deal Brexit:
If we have a no-deal Brexit, then many of the elements detailed in “Deal Brexit” section will apply, however the UK leaves the EU with immediate effect on a specific time & date.
The door to Europe is closed.
In this eventuality, the UK becomes a third country and any treaties, or trade agreements the UK had with the EU are no longer valid and must be re-negotiated.
Being a third country, we will be judged to offer an “inadequate” level of protection to personal data – so any data transfers INTO the UK are restricted.
Adequacy Agreements can be granted to the UK (and probably will be), however this can take time. Japan was the last nation to be granted theirs and it took two years.
Until this time, any transfers into the UK will be conducted at the risk of the sender in the EU and an organisation could refuse to transfer the data until additional safeguards are in place.
While this is unlikely to affect suppliers sending data to their clients in the UK, companies with clients in the EU may find the more diligent ones are less willing to assume the risk and liability of a restricted transfer.
This is because in the event of a breach on data coming into the UK, the sender will assume all liability.
As a result, in the event (or a likely event) of a no-deal, some organisations may look to move their business to your competitors within the EU.
To address the impacts of restricted transfers of personal data, businesses are advised to insert Standard Contractual Clauses (SCC’s) into existing data transfer agreements.
These will help demonstrate that parties signing the contracts provide “appropriate safeguards” to validate the transfer of personal data into a third country.
You should consult a data protection specialist to help with this – a standard commercial lawyer is unlikely to have experience in this area.
There are no restrictions on businesses in the UK sending data into the EU, as it remains a “safe zone”.
If we leave with a deal, then this will have less of an immediate impact on the UK than a no-deal Brexit, but businesses will still have a deadline of the transition period in which to complete their Brexit preparations.
For the purpose of this article, we will assume departure day is 31st December 2020, by which time the following must be addressed:
- Data discovery programme to identify any element of your business operation (client or supplier) within the EU.
- Develop an understanding of the type of personal data and the nature of transfer into and out of the EU.
- Review and draft new Standard Contractual Clauses (SCC’s) into existing data sharing agreements to address the transfer of personal data out of the EU.
- Based on the framework of your business. IE, if you have offices or establishments in the EU as well as the UK, you will need to register with a European data protection regulator – in addition to the UK Authority. Currently, UK businesses register with the ICO (Information Commissioners’ Office).
- Evaluate and consider the need for a Data Protection Officer. If the business operates in the UK, but you offer goods or services to individuals in the EU, then you may need representation within the EU as well – as per Article 27 of the GDPR.
The DPO in the UK will represent data subjects and be the point of contact for the ICO, while the DPO in the EU will represent data subjects in the EU and will be the point of contact for the appropriate Supervisory Authority there.
If the business fails to address these points by the end of the transition period, then any transfers of personal data you receive from clients or suppliers in the EU will be unlawful.
It’s also likely clients will begin to place business elsewhere due to the undue risk in transferring data outside of the EU.
Indeed, if a deal fails to be agreed by the end of the transition period, we will default to a no-deal, so it is imperative your business is aware and ready for all scenarios.
Let’s look at the different business operation scenarios:
Businesses and organisations who send or receive personal data to or from Europe
This applies if any aspect of your supply chain is based in the EU – including your IT or CRM providers. If you’re not sure, you should conduct a data discovery programme.
This involves mapping out how and from where personal data enters your business, where it travels to within your business, where it is stored when at rest, or when leaving the business.
Many businesses use cloud servers for data storage – there is a good chance this “cloud” is a server within the EU, meaning personal data travels from this location back into the UK each time a document is retrieved.
Currently, this data transfer is permitted due to the data transfer agreements we have in place as members of the EU.
After Brexit, however, personal data cannot be transferred back into the UK without additional safeguards in place – such as Standard Contractual Clauses (SCC’s) being inserted into any data sharing agreements.
If your business sends personal data to the EU, but does not receive it back, then you don’t need to take any further steps as it is going into a safe environment.
Businesses and organisations with a European presence, or European customers
If your business has premises or physical operations in the EU, or you have European customers, then you will need to register with the Supervisory Authority (data protection regulator) in the country of greatest activity, in addition to the ICO in the UK.
Before Brexit, the GDPR offered a “One-Stop Shop” approach to companies who needed to report breaches spanning multiple territories, they would report their breach to a “lead Supervisory Authority” and that Authority would co-ordinate investigation of the incident with their cross-territorial counterparts.
After Brexit, in the event of an international data breach, an organisation will need to notify at least two Authorities – one within the EU and the UK ICO.
You will need to appoint a suitable data protection representative in the EU. This person will act as your local representative with individuals and data protection authorities in the EU.
As Article 27 of the GDPR outlines, this person cannot be any existing Data Protection Officer (DPO), or one of your data processors (suppliers) – they should be appointed based on their knowledge of European data protection legislation.
Finally, it is likely you will need to review your existing data protection documentation to reflect these changes.
Businesses and organisations whose operations are entirely UK-based and have no contacts or customers in the EEA who are likely to send you personal data.
If your business has no customers, or operations outside of the UK, then Brexit will have little impact on your business.
It is important you monitor this, as should you engage with clients or suppliers who have operations in the EU, then you will need to implement some of the measures detailed in this document.
In association with Privacy Helper.