You’d be forgiven for thinking Covid-19 had cancelled Brexit given the lack of attention it’s got in recent weeks. No news is good news, or so they say. However the EU/UK cogs are slowly turning back to full steam ahead in negotiating a deal.
The transitional arrangement, which has the UK out politically but still in economically, expires at the end of the year. Much depends on these negotiations – including what happens to the General Data Protection Regulation [GDPR]. Brexit, particularly if there’s a ‘No Deal’ scenario, may have a serious impact on Irish companies’ data protection obligations.
Who will be impacted by Brexit?
There are many scenarios in which Brexit may affect a company’s GDPR compliance efforts. How much depends on many things, such as: the company’s business model, where its head office is, the services it provides, and the partners it works with.
Irish-based companies may be involved in transferring personal data to the UK. For example, they may be outsourcing key functions such as HR, IT, payroll, or marketing to companies in the UK. They might be using UK-based IT service providers for software/servers/data analytics. Their pension operator might be located there.
At the same time, UK-based companies dealing with European companies and data subjects may also have to review their work practices. Here are a few things for your business to consider.
Data protection considerations after Brexit
The transition period to negotiate a new relationship with the EU will expire at the end of 2020. The current default assumption is that the GDPR will be brought into UK law as the ‘UK GDPR’.
Compliance with UK law as well as with the GDPR
- The GDPR is an EU regulation and, in principle, it will no longer apply to the UK after the transition period. The UK Government intends to incorporate the GDPR into its data protection law, so in practice there will be little change initially to the core data protection principles, rights and obligations found in the GDPR. However, it is possible that they will deviate over time.
- Irish-based organisations communicating with UK data subjects are unlikely to see any changes here initially but will certainly have the additional obligation to watch for any changes to the UK data protection regulations.
- The UK Information Commissioner’s Office (ICO) will remain the independent supervisory body regarding the UK’s data protection legislation. It will not be the regulator for any European-specific activities caught by the EU version of the GDPR, although it is assumed to continue to work with European supervisory authorities.
- UK companies will need to comply with UK data protection law and follow ICO advice for UK data subjects. If things start to change, they will ned to adapt their practices for EU data subjects.
Appoint a European representative at the end of the transition period (Article 27)
- Organisations outside of the European Union offering goods or services to individuals in the EEA must appoint a person representing the rights of the data subjects, as set out in Article 27 of the GDPR.
- The representative must be established in the member state where the majority of the data processing is taking place.
- If a UK company has no office in the EEA, it must appoint another company or an individual residing the country as the representative, but that person/company must be independent of the registered DPO.
- The representative must be authorised, in writing, to act on the company’s behalf regarding EU GDPR compliance, and to deal with any supervisory authorities or data subjects in this respect.
Put in place appropriate safeguards for any data transfers
- In a ‘No Deal’ Brexit scenario, with no arrangements to ensure adequate levels of data protection, the UK will be treated as any other ‘third country’ without an adequacy decision
- If a UK company wants to transfer data to the EEA it needs to follow the UK data protection regime. The UK government says it does not intend to restrict the data flow
- If an EU company is transferring personal data to the UK it needs to be done in compliance with the GDPR. That means there have to be safeguards in place
- It is not yet clear if the UK will be classed as an adequate country. It is possible that an adequacy decision could be reached, where the EU Commission finds the level of protection to be sufficient. However, this process would not be automatic, and, if compared to the previous adequacy decisions, could take a number of months or years to finalise
- One common mechanism for ensuring the protection of personal data transferred outside of the EU is the use of ‘standard contractual clauses’ (SCCs). This is likely to be relevant to most Irish-based controllers that transfer personal data to the UK
- Another mechanism is Binding Corporate Rules, which are mostly relied upon by multinationals for transferring data.
Updates to Third Party Management
- Data controllers and data processors must have appropriate measures in place so that all processing activities are compliant.
- Companies will have to update their due diligence procedures for data processors in the UK
- A review and update of all existing data processing contracts to ensure appropriate clauses are in place e.g. transfer clauses
Review your existing data protection notices, policies and procedures
- Companies will have to review their privacy notice and data protection agreement to advise of any changes such as the appointment of an EU data subject representative (see first point) or the safeguards in place for data transfers
- Any existing policies and procedures such as the data subject rights procedures need to be reviewed to reflect these changes.
- Review the record of processing to scope out the impact of the changes to your processors, contract management implication and updates to privacy notices
- Consider updates to existing Data Protection Impact Assessments and Privacy by Design controls
Continue to watch any future change to remain compliant
- It is likely that over time the GDPR and the UK data protection regulations will deviate from each other. The UK organisation must ensure it is compliant with both the UK and the European regulations
- For marketing related activities in particular, current PECR rules cover marketing, cookies and electronic communications. They derive from EU law but are set out in UK law. They will continue to apply after we exit the EU
- At the same time, the EU is replacing the current e-privacy law with a new e-privacy Regulation (ePR). The new ePR is not yet agreed.
The situation is still changing, so it is worth keeping up to date with notices from the UK. The ICO has published guidance and resources for companies after Brexit, available here. It also has a tool to help small and medium-sized businesses with the free flow of data between the UK and the EEA. The Irish Data Protection Commission’s website regularly releases advice on data protection, including material relating to Brexit.
Have you signed up to our monthly newsletter? Every month we send out curated advice, guidance, learning and trends in security and privacy, as chosen by our consultants. Sign up here