In 2016, the EU passed the General Data Protection Regulation (GDPR) which came into force in May 2018. That same year the UK voted to leave the EU, and throughout the process of doing so, committed to the standards for data protection set out under the GDPR.
The question arose during this process as to whether the UK would maintain those standards post-Brexit, in the same year that the GDPR came into force, the UK passed the Data Protection Act 2018, incorporating many of the elements of GDPR into national law ahead of the exit. This indicated a level of commitment to those standards, further committed to in the agreed political declaration that would form the basis of the negotiations for the future relationship between the UK and the EU.
The UK’s exit was then followed by a transition period of one year. The entered transition stage allowed for negotiations to start regarding the future trading relationship between the UK and the EU and the positions taken by the government at this stage might change on the subject of alignment on data protection.
Brexit transition period
Now, as we move towards the end of the Brexit transition period, organisations need to ensure that they have the relevant policies, processes and procedures in place to remain compliant with data privacy regulations including data sharing agreements, data transfer strategy, EU/ UK Representative and more.
The role of the ICO, how data can continue to flow to and from the UK, the impact of the Schrems II judgment are key areas that are under question. All of this brings upon the requirements for UK/ EU representatives, data sharing agreements, data transfer strategy and help of key privacy experts during this sensitive time to help businesses improve their privacy compliance.
The following webinar covers the key measures that organisations should undertake. This time to adjust to the new needs and emerging legal challenges within the privacy and data transfers domain:
By planning for the post-Brexit privacy climate. You can reduce chances of litigation, fines and reputational damage after running your business practices through privacy experts. You can identify your current gaps and mitigate any risks to reduce any threats to the bare minimum. More on how you can do so is covered towards the end of this article.
Leaving the EU: Are transfers still permissible? (data protection)
As of the 31st of January, 2020 standard data transfers between businesses were permissible for the time being without being subject to any additional safeguards.
This will change as the transition period comes to an end in 2021, in which the UK will become a third country and treat as such. At the end of the transition agreement, which is about a month from now, the UK will be granted an adequacy decision following the European Commission’s assessment of the data protection framework in the UK.
Article 46 of the GDPR requires that in order to proceed with an agreement. Either party needs to adhere to the standard contractual clauses within the agreement. That establish binding mechanisms that allow for the enforcement or binding corporate rules under Article 47 of the GDPR. Which are subject to the approval by national regulators.
Ultimately however the scenario plays out, businesses will require to overhaul their compliance framework. And strategy for engaging with their EU customers.
What other regulatory obligations will UK businesses have to commit to? (Data protection)
In terms of the GDPR, businesses in the UK will still have to commit to the general principles and framework currently in place after the transition period, by virtue of the Data Protection Act 2018. Under this, there are not many changes to the level of compliance requirement. Policies and procedures will still have to put into place. Processing of data will have to limit to the purposes for which it collects, etc.
The obligations within the UK may then be subject to change. Though if adequacy remains a key pursuit of trade policy with the EU, then it is unlikely to change dramatically.
Though once outside the EU. In accordance with the ICO guidance. Businesses that are processing personal data in the EU without a physical presence will require under Article 27 of the GDPR to appoint an EU Representative. That will serve as the first point of contact between EU citizens and regulators, in making enquiries and complaints. The appointment of an EU representative will require even if an adequacy decision is there.
What is the status in relation to non-EU countries who have been granted adequacy decisions and transfers between them and the UK?
With regard to transfers outside of the UK, the Data Protection Act 2018 is fairly vague beyond its references to conducting a GDPR audit. And transfers for intelligence services and law enforcement purposes. However, given the references to the GDPR. It is fair to assume that the circumstances for transfers outside the UK will remain subject to the same safeguards provided under Article 46 & 47 of the GDPR.
For the jurisdictions that are currently subject to EU Adequacy decisions. Including Andorra, Argentina, Canada (commercial organisations). Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand. Switzerland, Uruguay and the United States of America (post the Privacy Shield framework dismissal). The free transfer between these countries and the UK may become restrictive following the UK’s formal exit as Schrems II applies to the UK now. ICO has recommends that the proper transfer tools should consider within the timeframe.
Also, for companies that are processing data in the UK but lack the formal presence in the country. They will be requiring a UK representative in accordance with the guidance provided by the ICO.
What are the key aspects businesses should take into account?
In light of Brexit, businesses that are processing data will have to navigate further uncertainty, during the transition period. According to this, businesses should prepare for the worst-case scenario. Which is that the UK leaves without a deal and is deem as providing adequate protection.
As terms of this preparation, businesses should ensure that they are compliant to the standards expected under the GDPR. Also with making arrangements to appoint an EU representative in an EU member state where they are collecting data but lack a formal presence.
There are concerns around the UK’s surveillance capabilities. And access to personal data of individuals based in the EU but not in the UK. The adequacy decision is also contingent to the Free Trade Agreement decision.
What are the obligations on businesses currently?
For the next one month, before the year 2021 begins, businesses must consult and define their post-Brexit privacy compliance strategies. This means appointing a EU/UK Representative if required after consultation with a privacy expert. As well as ensuring that all data transfer and processing activities are meeting the GDPR and Data Protection guidelines. Failure to comply can result in a fine of apx £9 million pounds should a violation found in your business.
How can you ensure your business is privacy compliant at the end of the Brexit transition period?
The UK has 30 days to become fully compliant with the Brexit data protection policies and data transfer measures under the GDPR. All requirements must meet before 1st of January 2021, which is a month from today. As a courtesy to you. Seers is offering 30 minutes free consultation with a leading Privacy Expert. To help you prepare for Brexit and become compliant with data privacy regulations.
Book your free 30 minutes Brexit privacy compliance consultation here