Thinking about what Brexit means to your business? Don’t forget to consider your EU data flows!

No matter where you sit in the Brexit debate there’s probably a good chance it will have some kind of impact on your business — and in the world of data compliance that’s no different. Believe it or not, Brexit might have an impact on your data compliance too! If you didn’t already have enough to worry about!

What’s the GDPR issue?

The GDPR restricts the transfer of EU citizens’ personal data outside the EEA unless appropriate protections are in place. This is to protect the data in parts of the world where GDPR does not apply — if it’s processed outside the EEA then it’s processed outside the controls of the GDPR and therefore protection of EU citizen’s cannot be guaranteed. So the law says you can’t transfer data or process it outside the EEA unless appropriate protections are in place and there are various ways that can be achieved:

  • The EU declare the country has equivalent (and therefore adequate) data protection laws (e.g. as what has happened with Japan recently)
  • The EU have an agreement in place with the country (e.g. the Privacy Shield arrangement between the EU and the US) allowing organisations within those countries to “self-certify” they’ll apply EU standards of protection
  • A contract is place making use of “model clauses” that are dictated by EU regulation
  • (or there are Binding Corporate Rules for internal group transfers)

What’s the Brexit data protection issue?

Depending on what happens with Brexit but assuming the UK does leave the EU (deal or no-deal) the UK will, from a data protection perspective, find itself being outside the EU and therefore strictly speaking not bound by the GDPR. We could find ourselves, what is called, a “third country”. This therefore poses a number of questions:

  1. Will anything change?
  2. Will the EU declare the UK as having adequate data protection law and add us to their list of equivalent countries?
  3. Could we end up with our own version of Privacy Shield?
  4. What does it mean to UK companies processing EU citizen data outside the EU?
  5. What does it mean to EU companies wishing to process their data in the UK?

The answers to these questions will vary depending on whether we leave with a deal (e.g. via an agreed withdrawal agreement) or if we leave in a “no deal” scenario.

Data protection and a withdrawal agreement

If the current withdrawal agreement goes through (whether amended or not) from a data protection perspective there are conditions included which mean that UK-EEA data flows should continue as they do now, until 2020. By 2020 alternative arrangements/solutions will be put in place.

We’d like to think these alternative arrangements would be confirmation the UK has adequate data protection compliance and we’ll be listed with the other countries (like Japan, New Zealand, Israel, etc.) who have equivalent data protection regimes and therefore no other controls will be needed. But, there is a concern from some spectators that actually in some similar areas (e.g. data retention regulations put upon tech and internet companies) aren’t compliant with EU standards and therefore would need to change if there was to be equivalence.

Worse case scenario is that we’d either have to negotiate our own version of the Privacy Shield or all parties involved in a processing activity would have to put in place the model contract clauses to cover the processing.

Data protection and a “no deal” situation

In a “no deal” scenario, we will not be able to rely on any of the arrangements till 2020. This means that UK-EU data flows will be challenging in a no-deal situation, because no agreements will be in place between the UK and the EU for data flows (as they currently are for a deal situation). What a no deal is likely to mean is:

  • UK to EU data flows will continue as they do now as the government have indicated their intention to allow UK to EEA data flows
  • If you operate in the UK only and do not process any EU citizen data then little is likely to change other than you should continue to apply GDPR standards of data protection to your processing activities
  • If you process EU citizen data, so are passed EU data from an organisation in the EEA for processing, the EEA organisation will not be able to pass the data to you unless appropriate safeguards are in place and these are likely to be the “model clauses” or “standard contractual clauses” (SCC)
  • If you sell products or services to EU citizens from the UK, so are processing EU citizens’ data but only because you are selling services to them (rather than as a processor) then you will need to apply GDPR standards of data protection as GDPR applies to the processing of all EU citizens’ data regardless of where in the world you are (and you’ll be answerable to the regulator in any of those EU countries where the citizens are from)
  • If you are a multi-national group with offices in the UK and the EU, then there’s a good chance you will need to apply different regimes of data protection and would be answerable to both the ICO in the UK and a European regulator for your offices in each of the EU states where their citizens are located
  • All organisations in the UK will be expected to apply the UK data protection regime and will be answerable to the ICO as the UK regulator

But, that’s not all:

  • If you operate across the EU then currently you can benefit from what is called the “One-Stop-Shop”, i.e. the ICO is able to deal with all EU data protection actions regardless of where in the EU an infringement has taken place — this means you don’t have to worry about dealing with multiple regulators across the EU
  • The GDPR also requires that in some circumstance any organisation outside the EEA that processes EU citizens’ data because they offer services or products (or monitors their behaviours) to them, should have a representative within the EEA. This is not the case if you process occasional data and it’s “low risk” (i.e. not special category) and not on a large scale. If you do, then you’ll need to find someone to act as your representative within the EEA.

So, what should you do now?

  1. Review your data and your data flows to identify which of any of the “no deal” points above apply
  2. Review your currently documentation and policies to identify where you refer specifically to EU law or terminology that will need changing after Brexit
  3. Look at your DPIAs to see if they may be impacted (where you are transferring data to the EU)
  4. Make sure everyone in your organisation is aware of what these changes might mean — as they’re pretty complex and vary depending on the scenario then consider delivering a brief overview but focus on key parts of your business that will definitely be impacted

Where can I get help with all this?

If you’d like to know more about what this all means, we’re running a free Brexit webinar briefing on 20th February and whilst we’ll be covering pretty much what’s covered in this post, there will be an opportunity to ask questions.

And of course, you can always sign up to the Digital Compliance Hub and benefit from our support, advice, guidance and tools (we hope to rollout a number of tools once things become a little clearer to help UK businesses comply).