As we step into 2021, EU GDPR will no longer apply within the UK. From the 1st January 2021, the Data Protection Act 2018 (“DPA”) will remain in place and the UK Government will bring the ‘UK GDPR’ into domestic law, which will be the UK’s version of the EU GDPR. In many respects the UK’s GDPR will be the same as the EU GDPR. As such, it will largely support a smooth post-Brexit transition for UK organisations with respect to data processing. However there are some key issues that organisations ought to be aware of and may need to be addressed prior to Brexit depending on your organisation’s processing activity.
This article aims to provide practical step by step guidance on key issues to consider ahead of the end of the transition period. We recommend that organisations prepare and document a Data Protection Brexit Plan and allocate sufficient resource to ensure required actions are addressed in good time to support uninterrupted data processing after the transition period.
One key area of concern (and the main focus of this article) is supporting the continued flow of personal data from EU member states to the UK. With each passing week, it appears less likely that the UK and EU will agree a deal before the end of the Brexit transition period. What this means for data protection is that until a deal is reached, it’s also unlikely that the UK will receive an adequacy decision from the European Commission.
An adequacy decision is a decision from the European Commission confirming that it considers that the relevant country offers an adequate level of protection for the rights and freedoms of data subjects. If a country has an ‘adequacy decision’ it means that an EU member state can share data with an organisation in the relevant recipient country without putting in place additional safeguards; a much less complicated and efficient approach to international transfers.
In the absence of an adequacy decision being granted to the UK, some disruption to data flows between the EU and UK is possible. Organisations will require to put in place appropriate safeguards to support any continued data flowing from EU to UK; strictly speaking these ought to be in place prior to the 31st Dec 2020. For organisations involved in high volumes of data sharing or complicated data sharing activities involving the EU putting in place additional measures may be complicated and resource intensive.
To avoid any post-transition disruption to data flows, we have set out some recommend steps organisations can take to prepare for a no-deal Brexit.
How will data flows look in a ‘no-deal’ post transition period?
- UK to EEA – the UK Govt has said it will support the export of data to the EU by UK organisations. No additional issues to be addressed as a result of end of transition period.
- UK to Non-EEA – if your organisation already transfers data to non-EEA countries, it should already have appropriate safeguards in place to facilitate a GDPR compliant transfer. No additional issues to be addressed as a result of end of transition period.
- EEA to UK – EU GDPR will apply to the EU based sender and the data cannot free flow as it did before as UK will be a ‘third country’. Appropriate safeguards will need to be put in place to support EU to UK transfers.
Appropriate Safeguards
If your organisation needs to maintain a free flow of personal data between the EU and UK after the transition period, there are safeguards that can be put in place to support this, in the absence of an adequacy decision. These options are noted below. The obligation to put these additional safeguards in place rest with the EU ‘sender’ of personal data under the EU GDPR. Therefore from the UK’s organisation perspective, it is likely that the EU sender will take the lead on this issue and have a preference over what option it wishes to rely on. However, we would recommend that if your UK organisation has not yet received contact from the EU sender with regard to putting in place additional appropriate safeguards, that your organisation considers approaching the EU sender to commence negotiations/discussions to avoid delay and potential disruption to data flow.
Options:
- Standard Contractual Clauses (SCCs) - likely to be the best option for organisations, these EU approved contractual terms can be entered into by the data importer and data exporter to safeguard the transfer of personal data between the EU and a third country. Consideration ought to be given to the requirement for the EU ‘sender’ to undertake risk assessments on the recipient to ensure recipient and its legal system supports compliance with the SCCs. UK organisations ought to be prepared for having to respond to such risk assessments quickly in order to be able to agree and enter into the SCCs and support free flow of data.
- Binding Corporate Rules (BCRs). If your organisation is part of a multinational group of companies you may have EU approved Binding Corporate rules in place to support intra-group personal data sharing from the EU to a third country such as the UK. Post transition period, these will still be valid but may need to be updated to reflect the UK’s exit from Europe.
- Administrative Arrangements: Less commonly used and available to public bodies that cannot enter into contracts to share personal data.
- Exceptions: Most likely to be appropriate for occasional processing only. Examples include having consent from the data subject for the transfer or where the transfer is necessary to perform a contract with a data subject. More information can be found here
Aside from supporting continued data flows from EU to UK, your organisation ought also consider other key matters such as updating existing privacy related documentation and key contracts; whether it requires to appoint an EU Representative; or whether it requires to appoint an EU Lead Supervisory Authority. We have set out a high-level check list below to help support your organisations Brexit preparations.
Consideration ought to be given as to whether your organisation will require additional resource requirements to support execution of any issues e.g. ensure DPO/legal team have awareness of size of job at hand and can commit to requirements within agreed timescales. It will be important for any Brexit plan to be flexible and capable of reacting to any changes in government policy and the possible agreement of a deal with the EU, which could change key issues e.g. the UK getting an adequacy decision.
Download: Practical Steps to preparing for a “no deal” Brexit?
Insight from Morgan O'Neill, Director Data Protection Services at Thorntons. For more information contact Morgan on 03330 430350 or email moneill@thorntons-law.co.uk
