Top Five Privacy-Related Considerations In Preparation For Brexit

According to a recent poll, 1 in 3 companies are considering moving their UK operations to other parts of Europe, including major corporations such as Sony. In preparation for the historic March 29th ‘deal or no deal’ showdown, Lucid Privacy has prepared the top 5 things you should consider doing should the UK leave the EU without a data protection agreement in place.

1. Don’t confuse your UK ICO ‘registration’ with your EU GDPR ‘lead supervisor’. In compliance with the UK’s Data Protection Regulation of 2018, businesses who process UK personal data are required to register and pay a fee to the ICO (here). This requirement is completely separate from the question as to which Data Protection Authority may be considered your EU GDPR ‘Lead Supervisory Authority’.
2. Rethink which Data Protection Authority is your ‘Lead Supervisory Authority’. In light of the recent French CNIL fine of Google, there is a new question as to how businesses can consider their lead supervisor to assist with coordinating any official inquiries, complaints or incidents. This is especially the case as it relates to companies whose headquarters and main operations are in the U.S. Regardless, if you have multiple EU country offices in addition to the UK, including one that has any ‘decision-making’ authority over products or operations in that region, then it is recommended to consider that location’s Data Protection Authority to be your lead supervisor. For more information on how the EU views the ‘lead supervisor’ status, refer to this guide by the European Data Protection Board (EDPB) as well as GPPR Recital 124.
3. New UK-specific data protection and transfer agreements. Perhaps the most frustrating aspect of Brexit may be the UK’s potential demoted (temporary) status of ‘inadequate’ for lawful data transfers to and from the EU. It is certainly only temporary since they will adopt the GDPR verbatim into UK law (not to be confused with the UK DPA 2018 which supplements the GDPR), but legally the EU is unlikely to recognize the UK as adequate until a post-Brexit deal is finalized. This could take weeks, months or years to complete, and in the meantime the legal compliance requirement will be to ensure all data flows from Europe to the UK, including HR data, have adequate data protection agreements in place. This can easily be accomplished by requiring all UK entities receiving data from the EU to agree to Standard Contractual Clauses endorsed by the European Commission. (Thankfully, the UK government indicated that data flows from the UK to the EU may continue unimpeded, and we should expect further clarity for UK to non-EU data transfers.) The EDPB offers additional guidance covering SCCs and other legal transfer mechanisms in the event of a ‘no deal’ Brexit here. France’s CNIL supplements this guidance with a new set of FAQs, and the UK ICO has a good interactive tool to use for this as well, here.
4. ‘Consider’ assigning a new Article 27 ‘Representative’. This is not to be confused with the Article 37 Data Protection Officer who has an extensive operational role, but rather a ‘local designee’ who can receive official notifications from the EU on matters related to the GDPR. For most companies with an EU office in addition to one in the UK, this is a non-issue as you can simply designate another office to receive official EU correspondence in your privacy notice or other Data Protection Authority (DPA) correspondence. It is also a strong likelihood (at least in the short-term) that any EU DPA will recognize an existing UK office as satisfactory for Article 27 compliance. However, to be extremely cautious, consider using an outsourced ‘representative’ service such as Verasafe.
5. Update Your Privacy Shield Statements. The U.S. Department of Commerce has offered some clarity as to what happens with Privacy Shield if there is a Brexit ‘no deal’ here. The good news is that the U.S. will continue to respect the UK’s participation in the framework with minor additions by U.S. participants. Specifically, Privacy Shield participants will need to add some UK-specific language to their public privacy policy and/or Privacy Shield statements as well as any private HR-specific privacy statements in advance of the conclusion of a Brexit transition period or the March 29th no-deal situation.

Plus….A final sanity check. GDPR compliance will not change. While you may very well need to put ‘no deal’ contingencies into place in time for March 30, 2019, the non-political reality of the UK’s adequacy remains. The UK has adopted the GDPR as their Data Protection Act of 2018, and the Privacy and Electronic Communications Regulations remains in effect for digital marketing and advertising uses. This means that all of your compliance obligations are the same regardless of Brexit. You shouldn’t change or add a new DPO, as that role can continue equally for both the UK and the EU. The main recommendation is to continue your GDPR compliance education efforts, and add special attention for the UK to your training materials.