Data Protection Brexit Planning
Data Protection Brexit Planning
The UK triggered Article 50 of the Treaty of the European Union on 29 March 2017 and has two years to negotiate a Withdrawal Agreement and framework for a future relationship with the EU. If there’s ‘no deal’ the UK will exit from the EU at 11pm GMT on 29 March 2019.
As confirmed in the Information Commissioner blog post of 13 Dec, ‘[the] free flow of personal information will no longer be the case if the UK leaves the EU without a withdrawal agreement that specifically provides for the continued flow of personal data.’
.. and there’s no sign of that yet i.e. the EU Commission has not formally determined that the UK has adequate privacy laws to protect personal data.
Need to know?
The Government has already made clear its intention to permit data to flow from the UK to EEA countries. But transfers of personal information from the EEA to the UK will be affected, due to the lack of the adequacy decision. On paper this should be ‘a given’, but there’s a lot of politics involved, so don’t expect a decision to be in place before 29/3.
ICO guidance warns that no-deal planning is particularly relevant to UK businesses and organisations which (i) operate in the European Economic Area (EEA), which includes the EU; or (ii) send personal data outside the UK; or (iii) receive personal data from the EEA.
So that’s going to be a lot of us!
What to do?
The ICO’s preferred starting point is their “Six Steps to Take” guidance. The emphasis should be on STARTING, because this really is a skeleton document, with headings that are likely to create a lot more confusion than clarity. Think of them as Headings for your planning document; the hard work is what to write under each heading!
Headings 2, 3 and 4, ‘Transfer mechanism’, are likely to be the greatest challenge. NB Heading 4 is really a repeat of Heading 2!
If you’ve been transferring data out of the EEA you should be all over this! These flows should be documented and well known to you by now. ‘Six Steps’ guidance advises you will need to apply the new “UK transfer and documentation provisions” to these data flows.
If you can find these ‘new’ provisions, do let me know; I can’t find them! Best option is to ensure your transfer of personal data from the UK to third countries remains GDPR compliant.
If you’ve been receiving data from other EEA countries, the key change on 29/3 is that those data controllers/processors will be unable to transfer data to you in the UK. Multinationals, in particular, need to map these flows to ensure they can meet the current requirements for transfer to non-EEA/non-adequate countries. This is most likely going to require Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).
The Information Commissioner has produced an online tool to help you through the application of SCCs (see link below). Essentially the tool ‘bails out’ if you look too complicated i.e. a multinational, and suggests you seek help on BCRs. If you’re a ‘simpler’ organisation, it points you to the controller-controller and controller-processor model contracts. Note that if the EEA SENDER of the personal data is a data processor, SCCs are NOT applicable. Track down who is the data controller and enter negotiations with them, not the processor.
Don’t forget to update those privacy notices and data capture devices. Phrases like we ‘never transfer data outside of the EEA’ will have to be changed.
Best guess pre 29/3 would be to consider phrases like ..’we never transfer data outside of the UK’ or because the UK has unilaterally declared members of the EEA as adequate countries, ‘we never transfer data outside of the UK or the EEA including Gibraltar’.
No change required yet, clearly, but good to have this planned in advance.
Information Commissioner: ‘Leaving the EU six steps to take’
- Information Commissioner: ‘Data protection if there’s no Brexit deal’
‘You should read this guidance if you are a business or organisation based in the UK and the GDPR currently applies to your processing of personal data’
- DCMS overview: Amendments to UK data protection law in the event the UK leaves the EU without a deal on 29 March 2019
- DCMS Technical guidance: ‘Data protection if there’s no Brexit deal’
The EU (Withdrawal) Act 2018 (EUWA) retains the GDPR in UK law. The fundamental principles, obligations and rights that organisations and data subjects have become familiar with will stay the same.
But it gets complicated when the UK is no longer a member state. That’s where EUWA comes in.
It allows UK Gov to make changes to GDPR and the Data Protection Act 2018 via new UK regulations.
Our DPO clinics will be focussing on this important topic for Q1 2019. To find out more about these, and other support services please contact firstname.lastname@example.org
Remember to keep an eye on the EU data protection board (EDPB) for any updates from the EU perspective or follow us on Twitter @icompli to stay right up to date.