You are here
Data Protection and a No-Deal Brexit - the Business Perspective
Much is made of the potential disruption to medical and fresh food supplies in the event of a no deal Brexit as highlighted in the UK government's Operation Yellowhammer report published on early September 2019, as are the opportunities for greater trade with the rest of the world, but little is spoken of the very real implications for businesses that rely on the transfer of personal data between the UK and the EU. This blog looks at some of these implications and is for interest only; it does not represent legal advice.
For those that are hoping the GDPR will disappear after Brexit– the news is all bad. The Data protection Act 2018 will remain and the GDPR will be passed directly into UK law with a few technical adjustments. The outcome will be a UK version of the GDPR and the Information Commissioner’s Office (ICO) will only have jurisdiction in the UK. Perhaps the most significant aspect, from a data protection perspective, is that the UK will be deemed to be a ‘third country’ because it loses its ‘adequacy’ status. As a result, it loses the benefit of unrestricted data flows between member states of the European Economic Area (EEA).
Currently, adequacy status is granted to 12 non-EU countries that the EU Commission has deemed worthy of the status. These includes Andorra, Argentina, Canada, New Zealand and, most recently, Japan. Personal data transfers between the US and the EU are also deemed adequate but only permitted under a separate arrangement known as the EU-US Privacy Shield. This requires the participating US organisations to ‘self-assess’ and provide a public commitment to comply with the EU data protection regime.
The benefits of having adequacy status is simply that international transfers between qualifying countries do not need to have additional safeguards unless derogations apply; for more details you need to review Chapter V of the GDPR. The degree to which a business will be affected will be determined by the extent to which it is currently making international transfers and to which countries. In some cases, it will cost UK businesses more to do exactly what they are doing at the moment. It may take 2 years after Brexit before the UK us granted the adequacy status.
What is the immediate impact for UK businesses that currently transfer personal data to and from the EU? In the short term, the UK government has stated that it’s still okay to transfer to EU states without further restrictions, but this is only one half of the story. You may need to appoint a ‘representative’ in the EU state where you do most of your business as specified in Article 27 of the GDPR. The situation is even more complicated for those organisations with the EEA that transfer personal data to the UK. They will need to comply with the provisions of the EU regime which means ensuring there are adequate safeguards in place or rely on exceptions listed in the GDPR. They may also need to appoint a representative in the UK – all of which may seem a great deal of effort (and expense) to do exactly the same thing they were doing before Brexit.
How can the safeguards referred to in this article be provided? For non-public authorities, the main ones are shown below, but more details can be found in Article 46 of the GDPR:
- Approved Binding Corporate Rules (BCR) which are appropriate to multi-national groups or a group of enterprises engaged in a joint economic activity. If these are not in place already, getting approval from the ICO before Brexit will be problematic as time is short.
- Reliance on standard contractual clauses (SCC) being put in place between the transferees; this is definitely an option that should be considered. The ICO has produced an interactive tool to help businesses use SCCs (see ico.org.uk).
It’s all very complicated and it’s difficult to know where to begin? I can’t pretend it is straight forward and if you think you are impacted by a no-deal Brexit, then I recommend the following:
- Check whether any derogation (exceptions) apply in your case; these are listed in Article 49 of the GDPR. For example, if you are dealing with EEA based customers directly (not through a third-party) then this type of transaction is not considered to be an international transfer, so no new measures are needed.
- As a priority, look at the at-risk data flows, i.e. those that flow into and out of your business that, at some stage, are transferred beyond the UK. Then work with the applicable organisations to see whether you can quickly add additional safeguarding clauses to your existing data processing contracts ahead of Brexit.
- Look at the ICO website where you can find a lot information on what organisations need to do including an advisory paper entitled ‘Leaving the EU – six steps to take’ and an interactive tool on how to use SCCs, as mentioned above.
If you discover that you don’t need to make any international transfers, but you use a cloud service provider (CSP) for backups where the servers are outside the UK, you could always seek a CSP that use UK based only servers. I should add that you would need to stipulate this with the CSP before entering into a contract.
If you are not sure whether the personal data you are processing applies, consider this: regardless of where the database or server might be, if someone outside the UK has access to personal data that you are managing, including just being able to read it on a ‘dumb’ monitor, then it counts as an international transfer.
Phil Brown, Norfolk’s Data Protection Mardler