While some impacts of a no deal Brexit have been well documented in the press, such as the potential shortage of medical supplies, issues relating to data protection have received less attention. Yet a no deal Brexit would impose significant regulatory hurdles and it is therefore advisable for UK businesses to prepare accordingly.
Here we discuss the data protection challenges posed by a no deal Brexit and set out some of the solutions which businesses should consider implementing in order to overcome them.
Legal framework
Following a no deal Brexit, UK laws concerning data protection, including the Data Protection Act 2018, will continue to apply and the GDPR will be incorporated into UK law – this is referred to as the UK GDPR. UK organisations will essentially be required to comply with the same obligations to which they should have been adhering since the introduction of the GDPR in May 2018.
Transfers
One of the key causes for concern in the event of a no deal Brexit is the impact this will have on data transfers between the UK and the European Economic Area (“EEA”). Currently, data can be transferred freely between organisations in the UK and those elsewhere in the EEA. However, in the event of a no deal Brexit, such transfers would become subject to restrictions, at least in relation to transfers from the EEA to the UK.
In respect of data transfers from the UK to the EEA, the British government has said that these will not be restricted, meaning that no additional steps will be required to continue to transfer data from the UK to other entities in the EEA.
In terms of transfers of data from the EEA to the UK, the rules on data transfers as set out in the GDPR will apply following a no deal Brexit. Once Britain leaves the EU, it will technically become a “third country” for the purposes of the GDPR and therefore organisations based in the EEA which are seeking to transfer data to entities in the UK would need to have in place a lawful mechanism for doing so.
The most seamless way to transfer data to a recipient in a third country under the GDPR is where an “adequacy decision” has been made by the EU Commission in respect of that country. Where this is the case, personal data can be transferred freely to such countries without relying upon other legal mechanisms. The UK government had hoped that an adequacy decision in relation to the UK would be in place immediately following Brexit. However, the EU Commission has insisted that it will not start the (often lengthy) adequacy decision process in respect of the UK until such time as it has formally left the EU.
The effect of this is that transfers from the EEA to the UK will need to be based on other lawful mechanisms set out in the GDPR from the date a no deal Brexit takes place. In the majority of cases, the most appropriate lawful mechanism for such transfers will be for the parties to enter into EU approved “standard contractual clauses” (“SCCs”). There are currently two sets of SCCs which have been approved by the EU Commission – these regulate transfers from:
One legal grey area that has emerged is in relation to transfers from an EEA processor to a UK controller following a no deal Brexit. There are no SCCs which will regulate such transfers and often there will be no other suitable lawful mechanism for these types of transfer. It is expected (or perhaps hoped) by the UK government that the European Data Protection Board, of which the ICO is currently a member, will issue guidance on this in the event of a no deal Brexit.
An alternative to SCCs which group companies with a UK presence may consider is to implement Binding Corporate Rules (BCRs). However, BCRs are subject to approval from the relevant supervisory authority, which for UK businesses is the ICO, and it will prove time consuming to put such documentation in place.
Finally, UK organisations which currently rely on the EU-US Privacy Shield to transfer personal data to organisations in the US should be aware that this will no longer serve as a valid transfer mechanism in the event of a no deal Brexit, unless the recipient US organisation has updated its public commitment to comply with the Privacy Shield to include the UK.
Procedural requirements
Although the UK will have left the EU, many UK organisations will continue to be caught by the EU GDPR due to the extra-territorial scope of the GDPR. Where this is the case, organisations must consider whether or not they are required to appoint an EU representative pursuant to Article 27 of the GDPR.
On the flipside, the UK government has indicated that a similar requirement will apply to non-UK entities which are bound to comply with the UK’s data protection regime following Brexit, meaning many EU organisations carrying out activities in the UK could be caught.
In addition to the above, UK organisations which have any branches or establishments in the EU, or are otherwise caught by the extra-territorial provisions of the GDPR and will be carrying out cross-border processing in the EEA following Brexit, may be required to update their lead supervisory authority following Brexit.
Review your documentation
At present, UK organisations have drafted their GDPR compliance documentation from the perspective of the UK being a member the EU. Businesses should therefore review their GDPR compliance documentation in advance to ensure that these references are updated accordingly. In particular, it would be prudent to review:
Conclusion
The implications of the UK leaving the EU without a deal will have serious data protection consequences not only for UK organisations, but also for EU organisations which transfer or process personal data to or in the UK. Businesses should be aware of the additional compliance steps which they may need to take following the UK’s exit from the EU without a deal and begin preparations for this as soon as possible.
Please contact us if you need any assistance preparing on data protection for Brexit.