What organisations should do to prepare data protection activities in the event of a no deal Brexit.
After the significant defeat of the Withdrawal Agreement meaningful vote, the prospects of a no-deal Brexit seem to be increasingly likely. Without taking the significant preparation steps outlined in our workshops and other collateral, organisations face the possibility of massive disruption to their business operations (including potential cessation of business with UK-based organisations), or being non-compliant with laws in multiple jurisdictions.
One area of preparation that may not have received the level of attention it merits is data protection. The withdrawal agreement text initially agreed between the EU and the UK included a transition period during which data protection laws in both jurisdictions would remain as they are. If this agreement had been approved by the UK parliament, and by each of the EU 27, then few urgent changes would be needed for many organisations.
Many organisations transfer data between EU member states multiple times a day. Data transfer involves data leaving the organisation, e.g. being sent from one subsidiary to a parent or sister company, or the use of a sub-contractor or processor to carry out activities on behalf of the data “exporter”.
With the defeat of the Withdrawal Agreement bill, and if no other agreement is made before March 29 2019, the following scenarios require urgent attention:
- UK organisations’ data transfer to the EU,
- UK organisations’ data transfer to the rest of the world
- EU organisations’ data transfer to the UK
UK organisations’ data transfer to the EU
In order to transfer any personal data out of the UK to the EU, your organisation will need to ensure that the requirements of UK law and EU law are met. The UK is likely to consider the EU’s data protection measures as sufficient to protect personal data. However, your organisation will need to ensure that appropriate organisational and technical measures are in place.
UK organisations’ data transfer to the rest of the world
UK organisations can currently transfer data to the rest of the world on the basis of EU treaties and adequacy findings. It is not currently clear if the UK will continue to recognise the Adequacy decisions of the EU post Brexit.
EU organisations’ data transfer to the UK
Post-Brexit, the UK will be just like any other third country without an adequate data protection regime (in the EU’s eyes). In order to continue to transfer data from the EU to the UK (as for example from the Republic of Ireland to Northern Ireland), a means to legitimise the transfer would be required. This could take the form of Binding Corporate Rules or “BCRs” (within a single organisation) or Standard Contractual Clauses. BCRs can take a great deal of time to negotiate and gain approval, and if not already underway, they are unlikely to be approved before March of this year.
Some organisations are choosing to mitigate this risk by ceasing the use of any outsourced service provider, data processor or third party based in the UK in favour of an EEA-based provider. Changing third parties before the March 29th date would of course require new contracts with a replacement provider; transition activities; and a certain amount of operational impact.
Organisations with operations in the UK and other EU states may need to interact with two different regulators as distinct Lead Supervisory Authorities (e.g. the ICO in the UK and the DPC in Ireland). This may lead to additional administrative overhead, and a more complex process if there are breach notifications required.
The use of Standard Contractual Clauses (sometimes called Model Clauses) to legitimise data transfers to third countries is under judicial review in the EU and may not be a reliable means of justifying the data transfer. While this method is useful in the short- to medium-term, other measures may be required.
UK organisations offering goods and services to the EU may need to appoint an EU-based representative (as per Article 27 of the GDPR). This may require a tender and due diligence process to be completed before engaging a representative to comply with GDPR requirements.
Steps to take:
Map the personal data being transferred between the UK and the EU
Consider any inter-firm or outsourcing agreements between parent and subsidiary or sister companies.
Determine if the transfers will need to continue beyond 30 March 2019. If this is the case, then assess the various transfer mechanisms to decide which one best suits the situation and work towards having it in place before 30 March 2019. If you choose not to continue transferring data, you may need to switch to a new supplier/service provider, with the various contractual and operational changes that brings.
Confirm that you are fully aware if your outsourced providers and third parties carry out any onward transfers between the UK and the EU (in either direction).