*Reassuringly dull cyber security

Brexit

Back

A GDPR & Data Protection Advisory Note.

Published: 26/09/2019 Last updated: 22/09/2020

Terminology

GDPRGeneral Data Protection Regulation
DPAData Protection Act 2018
ICOInformation Commissioner’s Office
EUEuropean Union
EEAEuropean Economic Area
ECEuropean Commission

IN SUMMARY

One of the central aims of the GDPR is the facilitation of the free flow of data between all countries in the EEA.  In practice this means that, currently, personal data can be transferred between organisations in the UK and the EEA without any specific or additional security measures needing to be put in place.

However, a ‘no-deal’ Brexit will mean the principle of the free flow of personal data will no longer apply and the UK will be in the same position as virtually any other country outside the EEA.

IN DETAIL

THE PRESENT POSITION

Personal data can flow freely between organisations in the UK and EEA without any specific measures. That’s because there are a common set of rules governing the collection and use of personal data – the GDPR. In addition, the UK has its own supplementary legislation, the DPA.

The GDPR and DPA restrict transfers of personal data outside the EEA, i.e. to ‘third countries.’ This means that such transfers (which the ICO refers to as ‘restricted transfers’) can only take place in certain circumstances.

Those circumstances are where:

  • there is an ‘adequacy decision’;
  • ‘appropriate safeguards’ are put in place;
  • a derogation applies.

An adequacy decision means that the country, although outside the EEA, is ‘safe’ to send personal data to.

Appropriate safeguards ensure that both the sender and the receiver of the transfer are legally required to protect personal data. These safeguards are most commonly enforced via contractual arrangements, known as Standard (or Model) Contractual Clauses.

The derogations are few and far between and are really only of any practical use in very limited circumstances and are unsuitable to facilitate the regular transfer of personal data between organisations.

AFTER 31st DECEMBER 2020 – IF A DEAL IS MADE

If a deal is made it is expected that as part of that the UK would be treated as if there had been a full finding of ‘adequacy’. In practice, this would have effectively mean that personal data transfers could continue, and the position would, for all intents and purposes, be the same as it is now.

AFTER 31st DECEMBER 2020 – IF THERE IS NO DEAL MADE

1. Data flows UK to EEA

In terms of data protection, the GDPR will become domestic law – to be known as the ‘UK GDPR’. The DPA will also remain in place. In addition, the UK has introduced the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019. Together, these measures mean that in a no-deal situation, there will be no change as regards data flows from the UK to the EEA.

2. Data flows EU to UK

The UK would be in the same position as any other country outside the EEA. This means that any organisations established in the EEA would not be able to send personal data to the UK, except in the circumstances provided for by the GDPR (see above).

Therefore, to continue to receive personal data from organisations established in the EEA organisations based in the UK should engage with their EEA counterparts to carefully consider alternative transfer mechanisms to maintain data flows and in identifying a legal basis for personal data transfers.

The most relevant alternative legal basis will be Standard Contractual Clauses. These are model data protection clauses that have been approved by the EC and enable the free flow of personal data when embedded in a contract. The clauses contain contractual obligations, as well as rights for the individuals whose personal data is transferred. Standard Contractual Clauses are particularly aimed at small and medium sized organisations.

However, this may be difficult where an EU/EEA-based data-processor sends personal data to the UK. This is because there is currently no EU-approved set of Standard Contractual Clauses for use by an EU/EEA-based data processor when sending data to a data controller in a third country.

FAQs

Q: We are a UK based organisation which transfers personal data to a country inside the EEA. Will we be able to continue to do so in the event of a ‘no-deal’ Brexit?

A: Yes. There will be no change as regards data flows from the UK.

Q: We are a UK based organisation which transfers personal data to a country outside the EEA Will we be able to continue to do so in the event of a ‘no-deal’ Brexit?

A: Yes. There will be no change as regards data flows from the UK.

Q: We are a UK based organisation which receives personal data from another country inside the EEA. Will we be able to continue to do so in the event of a ‘no-deal’ Brexit?

A: No, unless alternative transfer mechanisms have been put in place, e.g. Standard Contractual Clauses.

Q: We are a UK based organisation which receives personal data from another country outside the EEA. Will we be able to continue to do so in the event of a ‘no-deal’ Brexit?

A: Yes. There will be no change as regards data flows to the UK from outside the EU.

Q: We are an EEA based organisation which transfers personal data to organisations in the UK. Will we be able to continue to do so in the event of a ‘no-deal’ Brexit?

No, unless alternative transfer mechanisms have been put in place, e.g. Standard Contractual Clauses.

Q: We are an EEA based organisation with an office in the UK. Will we be able to continue to transfer personal data to that office?

A: No, unless alternative transfer mechanisms have been put in place, e.g. Standard Contractual Clauses.

Q: We are a non-EEA based organisation which transfers personal data to the UK. Will we be able to continue to do so in the event of a ‘no-deal’ Brexit?

A: Yes. There will be no change as regards data flows to the UK from outside the EEA.

RECOMMENDATIONS AND ACTIONS

If you are concerned that your organisation may be affected by a ‘no-deal’ Brexit, you should make sure you are aware of and understand the situations in which you are receiving personal data from outside the UK:

  1. Identify all organisations based outside UK from which your organisation receives, or to which your organisation sends, personal data.
  2. Divide these into two categories
    • EEA
    • Rest of World
  3. For organisations in EEA
    • Identify those from which personal data is received
    • Contact these to ask if they will be putting in place an alternative transfer mechanism, such as Standard Contractual Clauses.

DISCLAIMER

This note, which is based on various sources including the ICO, is for information purposes only. It is not intended to be a source of legal advice and must not be relied upon as such.

Appointing NormCyber as our virtual DPO has given Ferrero the best of both worlds – access to data protection experts who understand what we stand for as a business, without the hefty overheads usually associated with appointing an in-house DPO.

Harpreet Thandi
Regional Counsel, UK & Ireland, Ferrero

We were looking for a virtual DPO service that offered all of the benefits of a fully qualified data protection lawyer, without the overheads of an in-house hire. The DPaaS solution from norm. has been invaluable in helping us to ensure we respect the integrity of our customers’ personal information, while using it to continue to deliver differentiated products and services which support our growing customer base.

Mike Whitfield, Compliance Manager
Marmalade

CSaaS allows me to step away from multi-vendor management as the Security Operations Centre coordinates all of the technology for me.

David Vincent, CTO
Perpetuum

We were in the market for an independent Data Protection Officer service that was well versed with both UK and EU regulators. We’re thrilled to have acquired this service knowing that an expert is available 24/7.

Suzanne McCabe, Head of Project Management
James Hambro & Partners

Norm’s penetration testing layer, along with the suite of CSaaS modules has enabled MA to exceed all its audit requirements for its major clients.

Rob Elisha, ICT and CRM Manager
Montreal Associates

The speed of your Data Protection Officer’s response was very impressive – it was far quicker than I would have expected even from an in-house DPO

Will Blake, Director of Technology and Analytics
CRU Group