By Samuel Plantié, Principal Data Protection Consultant, Gemserv
We are almost reaching the end of the Brexit transition period. From January 2021 and from the perspective of the EU, the UK will become a “third party country” for data protection purposes.
Although the General Data Protection Regulation (GDPR) is still applicable in the UK during the transition period and will remain the data protection baseline after January, a few significant points are still uncertain. If you are doing business in the EU, or if some of your providers are based, share or store data within the EU, there are important steps you should be taking right now to prepare your organisation for all possible scenarios.
The first thing to take into account is that GDPR has been incorporated into UK law: your data protection obligations will remain the same from January. With this out of the way, a little background is necessary to understand the rest of the situation.
UK data protection post-Brexit: the background
The UK is looking to obtain an “adequacy decision” from the EU as part of the negotiations on a trade agreement. Being adequate means that the UK would still be able to exchange data freely with the EU without having to put in place additional safeguards. However, it is unlikely that this will be implemented by January, as new requirements from the European Court of Justice will potentially delay progress.
No adequacy decision for the UK has several consequences for UK organisations, such as your data protection governance structure and data flows.
Representative and Data Protection Officer
If you are currently doing business in the EU from a UK based office, you will have to set up a representative in the EU who will be responsible for answering enquiries from European data protection authorities. This representative can be an office, a branch, an establishment or it can also be outsourced under certain conditions. Moreover, if the UK Information Commissioner’s Office (ICO) was your Lead Supervisory Authority for all your operations across the EU (“One-Stop Shop), you will also have to select a new Lead Supervisory Authority in an EU country.
If you have appointed a Data Protection Officer, the good news is that they can still be based in the UK. The requirements for Data Protection Officers are to be “accessible”, for instance in terms of working hours or language, which is not a situation that will change from January 2021.
Safeguarding your data flows
Data flows are undoubtedly going to be one of the main challenges in a Post-Brexit world.
You may be pleased to learn that your personal data transfers from the UK to the EU will not be impacted, and you will still be able to send data relating to UK individuals from the UK to your EU recipients as usual.
However, in the absence of an adequacy decision, personal data flows from the EU to the UK can no longer happen without implementing sufficient legal safeguards. This would usually require UK recipients to sign Standard Contractual Clauses, a legal instrument that duplicates EU data protection obligations into a contract. If you are based in the EU, you will need to update your data sharing agreements with your UK recipients to include Standard Contractual Clauses.
Finally, data flows from the UK to other adequate countries designated by the EU (such as Guernsey or Canada) will not be impacted, however transfers from those countries to the UK will have to be assessed individually for each country.
Essential steps that you need to take by end 2020
- Map and review your personal data flows, especially those between the EU and the UK.
- Identify the role of each sender and recipient involved (controller or processor).
- Update your data sharing or data processing agreements and include Standard Contractual Clauses.
Despite the steps above, there are still important questions that remain unaddressed for UK organisations.
One is the future of ePrivacy in the UK (cookies and direct marketing), and the position the ICO will adopt post Brexit, especially with regards to cookie banners and consent.
Another, is the potential impact of the Schrems II case on UK adequacy. Back in July 2020, the Schrems II case invalidated the EU-US Privacy Shield, which was the legal framework to safeguard data flows between the EU and the US, because of US mass surveillance laws. The UK’s own surveillance laws will be reviewed by the EU before granting an adequacy decision, and this might come up as a challenge in the process. Worse, it might also add further complexity to the implementation of Standard Contractual Clauses between EU senders and UK recipients of personal data!
As the deadline looms closer, we expect that there will be further developments. One thing that is pretty certain is that, data protection compliance remains an ever-dynamic item in the agenda of many organisations.