Brexit

Back

A GDPR & Data Protection Advisory Note.

Published: 26/09/2019 Last updated: 08/11/2019

Terminology

GDPRGeneral Data Protection Regulation
DPAData Protection Act 2018
ICOInformation Commissioner’s Office
EUEuropean Union
EEAEuropean Economic Area
ECEuropean Commission

IN SUMMARY

One of the central aims of the GDPR is the facilitation of the free flow of data between all countries in the EEA.  In practice this means that, currently, personal data can be transferred between organisations in the UK and the EEA without any specific or additional security measures needing to be put in place.

However, leaving the EU on a ‘no-deal’ basis will mean the principle of the free flow of personal data will no longer apply and the UK will be in the same position as virtually any other country outside the EEA.

IN DETAIL

THE PRESENT POSITION

Personal data can flow freely between organisations in the UK and EEA without any specific measures. That’s because there are a common set of rules governing the collection and use of personal data – the GDPR. In addition, the UK has its own supplementary legislation, the DPA.

The GDPR and DPA restrict transfers of personal data outside the EEA, i.e. to ‘third countries.’ This means that such transfers (which the ICO refers to as ‘restricted transfers’) can only take place in certain circumstances.

Those circumstances are where:

  • there is an ‘adequacy decision’;
  • ‘appropriate safeguards’ are put in place;
  • a derogation applies.

An adequacy decision means that the EC has decided that the country, although outside the EEA, is ‘safe’ to send personal data to.

Appropriate safeguards ensure that both the sender and the receiver of the transfer are legally required to protect personal data. These safeguards are most commonly enforced via contractual arrangements, known as Standard (or Model) Contractual Clauses.

The derogations are few and far between and are really only of any practical use in very limited circumstances and are unsuitable to facilitate the regular transfer of personal data between organisations.

IF A BREXIT DEAL IS MADE

The proposed EU Withdrawal Bill contained provisions whereby the UK would be treated as if the EU had made a full finding of ‘adequacy’. In practice, this would have effectively meant that personal data transfers could continue, and the position would, for all intents and purposes, be the same as it is now.

IF THERE IS A NO DEAL BREXIT

1. Data flows UK to EU/EEA

In terms of data protection, the GDPR will become domestic law – to be known, perhaps rather confusingly, as the ‘UK GDPR’. The DPA will also remain in place. In addition, the UK has recently introduced the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019.

Together, these measures mean that in a no-deal situation, there will be no change as regards data flows from the UK to the EEA.

2. Data flows EU to UK

The UK, having ceased to be a member of the EEA, would be in the same position as any other country outside the EU. This means that any organisations established in the EU would not be able to send personal data from the EEA to the UK, except in the circumstances provided for by the GDPR (see above).

The most obvious solution would be for the EU to make an immediate ‘adequacy decision’ re. the UK, (after all, the UK is effectively in that position now). The UK government has already made it clear that it is ready to begin preliminary discussions on an adequacy assessment, but the EC has not yet indicated a timetable for this and has stated that the decision on adequacy cannot be taken until the UK has left the EU.

There is no doubt that any such adequacy decision will not be in place before the UK leaves the EU (and will probably take some considerable time to conclude).

Therefore, to continue to receive personal data from organisations established in the EEA organisations based in the UK should engage with their EEA counterparts to carefully consider alternative transfer mechanisms to maintain data flows and in identifying a legal basis for personal data transfers.

The most relevant alternative legal basis will be Standard Contractual Clauses. These are model data protection clauses that have been approved by the EC and enable the free flow of personal data when embedded in a contract. The clauses contain contractual obligations, as well as rights for the individuals whose personal data is transferred. Standard Contractual Clauses are particularly aimed at small and medium sized organisations.

However, this may be difficult where an EEA-based data-processor sends personal data to the UK. This is because there is currently no EU-approved set of Standard Contractual Clauses for use by an EEA-based data processor when sending data to a data controller in a third country.

3. Data flows between UK and US/Rest of the World

EU adequacy decisions, which were in place prior to Brexit day, can still be relied upon, which means that organisations in the UK will be able to continue to rely on these to send personal data to certain countries elsewhere in the world, outside the EU.

When making data transfers from the UK to the US relying on the EU-US Privacy Shield, organisations will need to make sure the US entity has updated its public commitments to expressly state that those commitments apply to transfers of personal data from the UK.

ANYTHING ELSE?

  1. Under the GDPR, some organisations located outside the EU have to appoint a ‘Representative’ in the EU. Those who have done so by appointing a Representative in the UK will need to appoint one in the EU after any Brexit to comply with the GDPR. Similarly, those organisations located outside the EU that have appointed a Representative in another country in the EU (i.e. not in the UK), may need to appoint a Representative in the UK.
  • You should review your contracts and policies, to check if there are any restrictions about processing or transferring personal data outside the EEA/EU.

FAQs

Q: We are a UK based organisation which transfers personal data to another country inside the EU/EEA. Will we be able to continue to do so in the event of a ‘no-deal’ Brexit?

A: Yes. There will be no change as regards data flows from the UK to the EU.

Q: We are a UK based organisation which transfers personal data to a country outside the EU. Will we be able to continue to do so in the event of a ‘no-deal’ Brexit?

A: Yes. There will be no change as regards data flows from the UK. However, when making data transfers to the US relying on the EU-US Privacy Shield, organisations will need to make sure the US entity has updated its public commitments to expressly state that those commitments apply to transfers of personal data from the UK.

Q: We are a UK based organisation which receives personal data from another country inside the EU/EEA. Will we be able to continue to do so in the event of a ‘no-deal’ Brexit?

A: No, unless alternative transfer mechanisms have been put in place, e.g. Standard Contractual Clauses.

Q: We are a UK based organisation which receives personal data from another country outside the EU/EEA. Will we be able to continue to do so in the event of a ‘no-deal’ Brexit?

A: Yes. There will be no change as regards data flows to the UK from outside the EU.

Q: We are an EU/EEA based organisation which transfers personal data to other organisations in the UK. Will we be able to continue to do so in the event of a ‘no-deal’ Brexit?

No, unless alternative transfer mechanisms have been put in place, e.g. Standard Contractual Clauses. Much will depend on whether you are acting as a ’controller’ or ‘processor’.

Q: We are an EU/EEA based organisation with an office in the UK. Will we be able to continue to transfer personal data to that office?

A: Yes. If you are sending personal data to someone employed by you or by your company, this is not a restricted transfer. The transfer restrictions only apply if you are sending personal data outside your organisation (this includes another company within the same corporate group, but which is a separate legal entity).

Q: We are a non-EU based organisation which transfers personal data to the UK. Will we be able to continue to do so in the event of a ‘no-deal’ Brexit?

A: Yes. There will be no change as regards data flows to the UK from outside the EU.

Q: We are a UK based organisation. Will we have to appoint a Representative in the EU in the event of a ‘no-deal’ Brexit?

A: Depends. Under the GDPR, some organisations based outside the EU have to appoint a ‘Representative’ in the EU. Please contact us for further advice.

Q: We are a non-UK based organisation. Will we have to appoint a Representative in the UK in the event of a ‘no-deal’ Brexit?

Depends. those organisations based outside the EU that have appointed a Representative in another country in the EU (i.e. not in the UK), may need to appoint a Representative in the UK. Please contact us for further advice.

RECOMMENDATIONS AND ACTIONS

If you are concerned that your organisation may be affected by a ‘no-deal’ Brexit, you should act by following our Brexit Action Plan (below). Start by identifying your international ‘data flows’, i.e. make sure you are aware of and understand the situations in which you are receiving personal data from outside the UK:

  1. Identify all organisations based outside UK from which your organisation receives, or to which your organisation sends, personal data.
  • Divide these into 3 categories
    • EU/EEA
    • USA
    • Rest of World
  • R.E. organisations in EU/EEA
    • Identify those from which personal data is received
    • Contact these to ask if they will be putting in place an alternative transfer mechanism, such as Standard Contractual Clauses.
  • R.E. organisations in USA
    • Identify those to which personal data is sent under ‘Privacy Shield’
    • Contact these to make sure they have/will update its public commitments to expressly state that those commitments apply to transfers of personal data from the UK.
  • R.E. organisations in Rest of World
    • No additional action required

Remember that, although the onus will (normally) be on the sender of the data, you need to consider whether your organisation will be most at risk in the event of a no deal Brexit and no safeguards put in place.

DISCLAIMER

This note, which is based on various sources including the ICO, is for information purposes only. It is not intended to be a source of legal advice and must not be relied upon as such.

I’m thrilled to have signed off on the CSaaS offering.  I’m looking forward to having the most complete cyber security package for the mid-market and continuing our successful working relationship with norm.

Richard Taylor, CIO
Summit Therapeutics

CSaaS allows me to step away from multi-vendor management as the Security Operations Centre coordinates all of the technology for me.

David Vincent, CTO
Perpetuum

The biggest factor was that they had a data protection lawyer in-house who worked for them, which meant there was someone we could directly go to with specific questions about the (GDPR) regulation.

Phil Everitt, Management Information Systems Manager
Leicester Tigers

We were in the market for an independent Data Protection Officer service that was well versed with both UK and EU regulators. We’re thrilled to have acquired this service knowing that an expert is available 24/7.

Suzanne McCabe, Head of Project Management
James Hambro & Partners

Norm’s penetration testing layer, along with the suite of CSaaS modules has enabled MA to exceed all its audit requirements for its major clients.

Rob Elisha, ICT and CRM Manager
Montreal Associates

The speed of your Data Protection Officer’s response was very impressive – it was far quicker than I would have expected even from an in-house DPO

Will Blake, Director of Technology and Analytics
CRU Group