26 September 2019

Data protection compliance Brexit checklist


In the event of a no-deal Brexit scenario, the UK would leave the EU immediately on 31 October 2019 with no agreement in place governing the withdrawal or the ongoing relationship between the UK and the EU.

Here’s the data protection must-have checklist that will help tech companies navigate some of the uncertainties of a no-deal Brexit.

Verdict: Data flows from the UK to the EU and abroad will largely continue uninterrupted; however, a new lawful transfer mechanism will be needed for data flows from the EU to the UK which will prove to be administratively burdensome.

30 second summary: In the event of a no-deal, the GDPR will become ‘retained EU law’ and continue to apply in the UK, as amended by UK regulations in order to make the legislation work. This is the equivalent of using the replace all function on Microsoft Word to replace EU with UK and hoping for the best. Most notably, the UK will be classed as a third country and any entities processing personal data in the UK will be international organisations for the purpose of the GDPR. This means additional transfer mechanisms may need to be adopted to make transfers of personal data between the EU and the UK lawful.

Checklist:

  • Domestic compliance: Continue to comply with the GDPR and the UK’s Data Protection Act 2018 in the UK as it will remain substantively unaltered.
  • Data mapping: Map data flows from the EU to the UK to assess if there is an international transfer issue (don’t forget about your sub-processors’ processing location).
  • Contract due diligence: Amend references in all relevant data sharing agreements, policies, templates etc. to expressly include (or if necessary, to exclude) reference to the UK. Restrictions of processing of personal data in the EU only will be problematic if processing in the UK. Consider a practical approach to implementing any changes required (see commercial tech contracts “Brexit checklist”:“https://www.withersworldwide.com/en-gb/insight/doomsday-no-deal-brexit-commercial-contracts-checklist-for-tech-companies.)
  • Privacy notices: EU based organisations need to explain to data subjects that their personal data is being transferred internationally by way of an update to the relevant privacy notice.
  • Transfers from the EU to the UK: Prepare ‘appropriate safeguards’ to cover transfers from the EU to the UK (including intra-group transfers) or prepare to start receiving them from your business customers. In most circumstances this is likely to take the form of” standard contractual clauses”:https://ico.org.uk/for-organisations/data-protection-and-brexit/keep-data-flowing-from-the-eea-to-the-uk-interactive-tool/ (SCCs), which can be conditioned to come into effect on the Brexit date and fall away if no longer necessary (i.e. if the UK obtains an adequacy decision).
    - Processors: Tech companies acting as processors should be pro-active here to avoid dealing with multiple ad-hoc customer requests – SCCs (controller – processor) may be your only quick fix.
    - Controllers: EU-based organisations sharing personal data with UK entities on a controller to controller basis, including intra-group sharing, also need a lawful transfer mechanism – SCCs (controller – controller) may be your only quick fix.
  • Transfers from the UK to entities outside the EU: UK companies will still need to use one of the lawful transfer mechanisms to transfer data abroad (other than to an EEA country or those with adequate status granted by the EU Commission, which remains unaffected).
  • Transfers from the UK to the US pursuant to the Privacy Shield: This mechanism shall remain unaffected, provided the US organisation has updated its public commitment to comply with the Privacy Shield to expressly state that those commitments apply to transfers of personal data from the UK. UK companies will need to ensure this commitment is in place and US companies should ensure they have updated their Privacy Shield notices accordingly.
  • Representatives: UK organisations offering goods or services in to the EU need to appoint an ‘EU Representative’ (this will be easy if you have another EU establishment or failing that there are service providers offering this service) and likewise, non-UK organisations offering goods or services into the UK will need to appoint a “UK Representative” (new requirement here).
  • Lead authority: Organisations with multiple establishments in the EU who previously thought the UK would be their lead authority need to assess which EU authority will now be their lead authority (update reporting contact details in your internal privacy policies).

Authors

Category: Article