No-Deal Brexit and data protection – are you ready?
Amidst the continued uncertainty and frustration surrounding Brexit, data protection compliance is unlikely to be at the top of your to-do list. However, a no-deal Brexit could have significant implications for how you as a business send, receive and process personal data going forward and you should therefore consider taking steps now to prepare.
The ICO has published a number of resources designed to help organisations of all sizes get ready for a no-deal Brexit: www.ico.org.uk/for-organisations/data-protection-and-brexit/.
We have summarised some of the key points for you to consider if you are a UK business or if you transfer personal data to the UK.
Will GDPR still apply?
Technically, the GDPR will not apply to the UK in the event of a no-deal Brexit as it is an EU regulation. However, the Data Protection Act 2018 which supplements the GDPR in the UK will continue to apply and the intention is for the government to incorporate the provisions of the GDPR directly into UK law if we leave without a deal. The rights and obligations will therefore largely mirror the current position, with some notable differences briefly described below.
International transfers
Under the GDPR, personal data can only be transferred outside the EEA (which will include the UK after we leave the EU) if the transfer is covered by an adequacy decision, appropriate safeguards or an exception.
- Transfers from the UK
The UK government has confirmed that transfers from the UK to the EEA will not be restricted. You can therefore continue to transfer personal data to the EEA without taking any additional steps. You can also continue to transfer personal data to countries covered by an EU adequacy decision (including the Isle of Man, Guernsey, New Zealand and Switzerland), as well as to US organisations covered by Privacy Shield (provided they have updated their public commitment to comply with the Privacy Shield to expressly state that it applies to transfers of personal data from the UK). For any other transfers, provided you are currently complying with the requirements of the GDPR when making such transfers then you will not need to take any additional steps.
- Transfers to the UK
If we leave the EU without a deal, there will be no adequacy decision in respect of the UK. Transfers from the EEA to the UK will therefore only be permitted if they are covered by appropriate safeguards or an exception.
The ICO suggests that entering into standard contractual clauses (“SCCs”) which have been adopted by the European Commission would be the most convenient appropriate safeguard to put in place for most businesses. These would be entered into between the EEA controller and the UK controller or processor and cannot be amended (except to add business-related clauses which do not contradict the SCCs).
European Representatives
If you are based in the UK and do not have a branch, office or other establishment in any other EU/EEA state but you either offer goods or services to individuals in the EEA, or monitor the behaviour of individuals in the EEA, you may need to appoint a European representative.
The representative will be authorised to act on your behalf and liaise with any supervisory authorities or data subjects in relation to your GDPR compliance. They can be an individual, company or organisation and must be established in an EU/EEA state where some of the individuals whose personal data you are processing for such purposes are located.
There are some limited exceptions to the requirement to appoint a European Representative, namely if:
- You are a public authority; or
- Your processing is only occasional, of low risk to the data protection rights of individuals and does not involve the large-scale use of special category or criminal offence data.
The above is only a brief summary of some of the steps that you may need to take to prepare for a no-deal Brexit. For more information or advice, contact Acuity’s data protection team who will be happy to assist.