Last week, the Information Commissioner's Office (ICO) issued guidance to businesses on how to prepare for a no-deal Brexit in the data protection sphere and the UK Government issued guidance in relation to data protection law post-Brexit. The guidance will be of particular importance to organisations who have operations outwith the UK.
We consider this guidance and offer advice as to initial steps that organisations should take.
Will the GDPR continue to apply?
Short answer: Yes!
This question should really be, “Why will the GDPR continue to apply when we leave the EU?”
It is important to note that Brexit will not mean that the GDPR will cease to apply. The Government has previously stated that the GDPR will be incorporated into UK law upon the UK’s departure from the EU and that the Data Protection Act 2018, the UK statute which supplements and modifies the GDPR in the UK, will continue to be valid and enforceable. So, all your hard work that you have undertaken to implement the necessary changes to comply with the GDPR has not been for nothing!
If you are a data controller, your responsibilities will remain unaltered post-Brexit and data subjects will continue to have the same rights. Therefore, your business should continue to ensure that it is GDPR compliant and that it acts in accordance with the principles, rights and obligations contained in the GDPR and the guidance issued by the ICO.
Importantly, the UK Government has also stated that the extra-territorial scope of the GDPR will continue to apply to controllers or processors who are outwith the UK. This will mean that, if your organisation is based outside the UK but processes the data of those in the UK in order to offer goods or services, or to monitor behaviour, you must comply with the GDPR.
Transfers to the UK
If your organisation relies on the free flow of data (whether it be HR data or customer data) from countries within the European Economic Area, Brexit is likely to affect whether this can continue.
The problems associated with Brexit may eventually be resolved by the issuing of an “adequacy decision” by the European Commission – this is essentially a decision which declares that a country outside the EU offers an adequate level of personal data protection. This will allow data to be transferred to the UK and the government has indicated its intention to seek such a decision. The problem here, however, is that we (as in the UK) need to leave the EU in the first place before such a decision can be issued by the European Commission, so it could take some time. Therefore, your organisation will need to take action to ensure that you can continue to receive data from countries within the EEA.
So what sort of action might your business need to take?
Unless your organisation can rely upon an exception within the GDPR (of which there are a number but which can, in the main, only be applied in narrow circumstances), this will involve implementing appropriate safeguards such as “standard contractual clauses”. This will require you to have a contract in place with the sender of the data, which incorporates standard data protection clauses. The ICO has prepared template contracts for organisations to use for this purpose and has created an interactive tool on its website, to assist small and medium-sized businesses in deciding whether it requires to adopt such clauses.
However, if your organisation is required to rely upon standard contractual clauses, there will be a period of limbo, where standard contractual clauses cannot be used, between the UK leaving the EU and the standard contractual clauses being released. This is likely to cause serious disruption and the UK Government has not addressed this problem. It has merely acknowledged that “for those that rely on data transfers from the EU, alternative mechanisms for such transfers are available” and advised that standard contractual clauses may be used as an alternative means of transferring data.
So, it is probably best to use the time between now and March 2019 to consider:
- Are you impacted?
- If so, would any of the exemptions apply?
- If not, put standard contractual clauses in place – on the basis that, if nothing else, it places obligations on the parties to protect data subjects
Transfers from the UK
If your organisation transfers data to countries within the European Economic Area, there is unlikely to be significant disruption. The UK Government has confirmed that the free flow of data from the UK to the EEA will not be affected – it will transitionally recognise all EEA member states as providing an adequate standards of personal data protection. Therefore, there are no immediate actions that your organisation needs to take in this respect.
Other matters to consider if your business operates within the EU
Post-Brexit, the ICO will no longer have a role in the EU data protection regime and therefore, if your organisation has EU branches or offices, the EU data protection regime will apply to your organisation’s activities. Further, if your business is based in the UK but you sell goods and services to those in countries within the EEA, you will be subject to the EU regime.
Further, post-Brexit, your organisation may not be able to continue to rely upon the “One-Stop-Shop rule”, which allows organisations with operations throughout the EU to deal with only one European supervisory authority, rather than having to deal with each authority where the organisation has operations. If your lead authority is the UK’s ICO, you must consider which other EU and EEA authority will become your lead authority once we leave the EU. It is advisable that you contact that authority in due course.
If your organisation is based in the UK only, but sells goods and services to those in the EEA or monitors the activity of those in the EEA, you must appoint a European Representative. This individual represents your organisation and liaises with individuals and data protection authorities within the EEA. European Representatives must not be your processor or your data protection officer.
There are other key steps that your organisation should take in order to prepare for Brexit:
- You should review your contracts and documents to ensure that any references to EU law and EU terminology are updated
- The key individuals within your organisation must be aware of the possible data protection consequences of Brexit and ensure that they read and comply with any guidance issued pre-Brexit
Given that Brexit is now just over three months away, it is important that your organisation takes preliminary action now.