What is the impact of BREXIT on data protection?

Political clarity on Brexit was provided in the recent UK General Election. However, there is continuing uncertainty over what impact Brexit will actually have on business and in particular what impact Brexit will have on businesses that transfer data to and from the UK.  The ability to use data, through the legitimate transfer, storage and processing of data drives modern businesses and is a key ingredient of a successful organisation.  It follows that how data is dealt with between the UK and EU post Brexit is of paramount importance to businesses, their customers and the individuals whose data is processed.

2020 Milestones

During the transition period, EU law will still apply and therefore with effect from 01 February GDPR remains in force as it stands and will most likely do so for the duration of the transition period.  The UK’s Information Commissioners Office (ICO) issued a statement on 29 January last confirming that it will be “business as usual” for data protection during the transition period.  Whilst it is likely that GDPR will be incorporated into UK domestic law at the end of the transition period and that this will sit alongside the UK’s Data Protection Act 2018, it must be noted that this is not guaranteed.

In any event, at the end of the transition period (likely end of 2020), the default position, in the absence of an agreement, would be that the UK will leave on World Trade Organisation Terms.  In those circumstances, the relationship between the EU and UK with respect to data will be altered and a determination will be required to as to how data will be dealt with between the entities.  In the absence of agreement on a novel way of dealing with data, the UK –EU data relationship will be governed by one of the three current data relationship options.

UK – EU Data Relationship Options

Adequacy Decision: The European Commission (EC) has the power to determine whether a country outside the EEA offers an adequate level of data protection, either through its domestic legislation or international commitments it has entered into. The UK’s intention to fully incorporate GDPR into its domestic law may assist in this regard.  However, gaining an adequacy decision can be a very lengthy process. If the UK does not receive this adequacy status, it will be deemed a ‘third country’.  This means that any flow of personal data will have to be under an alternative transfer mechanism such as Binding Corporate Rules or Model Contract Clauses.

Binding Corporate Rules: BCRs are internal rules for data transfers within multinational companies.  They allow multinational companies to transfer personal data internationally within the same corporate group to countries that do not provide an adequate level of protection. There is a lengthy approval process involved in establishing BCRs including a review of the BCRs by relevant Data Protection Authorities. A straightforward BCR application can take 12 months to complete.  This leads to a period of time where alternative arrangements must be considered.

Model Contract Clauses: The European Commission can decide that standard contractual clauses offer sufficient safeguards for personal data to be transferred internationally. It has issued standard contractual clauses for the following circumstances: EU controller to non EU or EEA controller and EU controller to non EU or EEA processor. On exit of the EU by the UK, further review and amendment of any data processing/transfer agreements between the EEA and UK will be required.  This poses not only an administrative burden but has financial implications also.

What key steps should a business take?

• Maintain up-to-date records of processing and complete a list of all data flows to and from the UK by your business.
• Fully identified data flows should allow you to quickly scope out and plan for the majority of the work that will be required in terms of subsequent contract and data protection notice updates/amendments.
• Review all data protection notices and amend where necessary. Consider notices that have a blanket statement such as ‘No personal data will be transferred out of the EU/EEA’ as well as any derogation that may apply under Article 49 of the GDPR.
• Formulate a communication plan for updating your Data Protection Notices.
• Update due diligence procedures to allow for data processors situated in the UK.
• Review and update all existing data processing contracts to ensure appropriate clauses are in place e.g. Model Contract Clauses.
• Consider the use of Binding Corporate Rules to continue to transfer personal data to group entities based in the UK.
• Assess what transfer mechanisms are currently in place to protect personal data and any additional security measures necessary.
• Consider any planned initiatives to identify UK dependencies from both a system and contract perspective.
• Consider updates required to Data Protection Impact Assessments and Privacy by Design controls.

How can we help?

Reddy Charlton Solicitors advise clients on data protection matters, having considerable experience and a number of experts in the area. If you have any related queries or are seeking further information on our range of services please contact a member of our Commercial Team who will be delighted to assist you.