In 2016, the EU passed the General Data Protection Regulation (GDPR) which came into force in May 2018. That same year the UK voted to leave the EU, and throughout the process of doing so, committed to the standards for data protection set out under the GDPR.
The question arose during this process as to whether the UK would maintain those standards post-Brexit, in the same year that the GDPR came into force, the UK passed the Data Protection Act 2018, incorporating many of the elements of GDPR into national law ahead of the exit. This indicated a level of commitment to those standards, further committed to in the agreed political declaration that would form the basis of the negotiations for the future relationship between the UK and the EU.
The UK’s exit was then followed by a transition period of one year. The entered transition stage allowed for negotiations to start regarding the future trading relationship between the UK and the EU and the positions taken by the government at this stage might change on the subject of alignment on data protection.
Now, as we move towards the end of the Brexit transition period, organisations need to ensure that they have the relevant policies, processes and procedures in place to remain compliant with data privacy regulations including data sharing agreements, data transfer strategy, EU/ UK Representative and more.
The role of the ICO, how data can continue to flow to and from the UK, the impact of the Schrems II judgment are key areas that are under question. All of this brings upon the requirements for UK/ EU representatives, data sharing agreements, data transfer strategy and help of key privacy experts during this sensitive time to help businesses improve their privacy compliance.
The following webinar covers the key measures that organisations should undertake during this time to adjust to the new needs and emerging legal challenges within the privacy and data transfers domain:
By planning for the post-Brexit privacy climate you can reduce chances of litigation, fines and reputational damage after running your business practices through privacy experts. You can identify your current gaps and mitigate any risks to reduce any threats to the bare minimum. More on how you can do so is covered towards the end of this article.
Leaving the EU: Are transfers still permissible?
As of the 31st of January, 2020 standard data transfers between businesses were permissible for the time being without being subject to any additional safeguards.
This will change as the transition period comes to an end in 2021, in which the UK will become a third country and be treated as such. At the end of the transition agreement, which is about a month from now, the UK will be granted an adequacy decision following the European Commission’s assessment of the data protection framework in the UK.
After the Schrems II case, the situation regarding cross-border transfers of data will pretty much remain the same, in accordance with Article 45 of the GDPR. If the UK continues to share data with inadequate countries then transfers with the rest of the EU can be more complex.
The data transfers between EU and UK will be mapped and then be subject to the grounds under Articles 46 & 47 or subject to the exemptions outlined within GDPR to ensure adequacy.
Article 46 of the GDPR requires that in order to proceed with an agreement, either party needs to adhere to the standard contractual clauses within the agreement that establish binding mechanisms that allow for the enforcement or binding corporate rules under Article 47 of the GDPR which are subject to the approval by national regulators.
Ultimately however the scenario plays out, businesses will be required to overhaul their compliance framework and strategy for engaging with their EU customers, for most businesses it would be preferable for the first scenario to occur, as it will be the least disruptive.
What other regulatory obligations will UK businesses have to commit to?
In terms of the GDPR, businesses in the UK will still have to commit to the general principles and framework currently in place after the transition period, by virtue of the Data Protection Act 2018. Under this, there will not be many changes to the level of compliance required, policies and procedures will still have to be put into place, processing of data will have to remain limited to the purposes for which it was collected, etc.
The obligations within the UK may then be subject to change as amendments are made over time and dependent on the wishes of the government of the day. Though if adequacy remains a key pursuit of trade policy with the EU, then it is unlikely to change dramatically.
Though once outside the EU, in accordance with the ICO guidance, businesses that are processing personal data in the EU without a physical presence will be required under Article 27 of the GDPR to appoint an EU Representative. That will serve as the first point of contact between EU citizens and regulators, in making enquiries and complaints related to data protection. The appointment of an EU representative will be required even if an adequacy decision is made.
What is the status in relation to non-EU countries who have been granted adequacy decisions and transfers between them and the UK?
With regard to transfers outside of the UK, the Data Protection Act 2018 is fairly vague beyond its references to conducting a GDPR audit and transfers for intelligence services and law enforcement purposes. However, given the references to the GDPR, it is fair to assume that the circumstances for transfers outside the UK will remain subject to the same safeguards provided under Article 46 & 47 of the GDPR.
For the jurisdictions that are currently subject to EU Adequacy decisions including Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the United States of America (post the Privacy Shield framework dismissal), the free transfer between these countries and the UK may become restrictive following the UK’s formal exit as Schrems II applies to the UK now. ICO has recommended that the proper transfer tools should be considered within the timeframe.
Also, for companies that are processing data in the UK but lack the formal presence in the country, they will be requiring a UK representative in accordance with the guidance provided by the ICO.
What are the key aspects businesses should take into account?
In light of Brexit, businesses that are processing data will have to navigate further uncertainty, during the transition period. In light of this, businesses should prepare for the worst-case scenario, which is that the UK leaves without a deal and is deemed as providing adequate protection.
In terms of this preparation, businesses should ensure that they are compliant to the standards expected under the GDPR, along with making arrangements to appoint an EU representative in an EU member state where they are collecting data but lack a formal presence.
When engaging with EU businesses and transfers of data, companies will also be required to have contracts drafted in order to facilitate those transfers and demonstrate that they enable data subjects to have recourse in regard to their rights under the GDPR. This can be done by standard contractual clauses within the contracts that are formed between such businesses that are sharing the data.
There are concerns around the UK’s surveillance capabilities and access to personal data of individuals based in the EU but not in the UK. The adequacy decision is also contingent to the Free Trade Agreement decision. They are both interlinked and can yield benefits and complications for the businesses in the EU and the UK depending on how they pan out.
What are the obligations on businesses currently?
For the next one month, before the year 2021 begins, businesses must consult and define their post-Brexit privacy compliance strategies. This means appointing a EU/UK Representative if required after consultation with a privacy expert as well as ensuring that all data transfer and processing activities are meeting the GDPR and Data Protection guidelines. Failure to comply can result in a fine of apx £9 million pounds should a violation be found in your business.
How can you ensure your business is privacy compliant at the end of the Brexit transition period?
The UK has 30 days to become fully compliant with the Brexit data protection policies and data transfer measures under the GDPR. All requirements must be met before 1st of January 2021, which is a month from today. As a courtesy to you, Seers is offering 30 minutes free consultation with a leading Privacy Expert to help you prepare for Brexit and become compliant with data privacy regulations.
Book your free 30 minutes Brexit privacy compliance consultation here