Legal

Brexit : is the UK leaving the GDPR too ?

Brexit-GDPR.png

On the 15th of January 2019, British parliament has voted massively against the Brexit deal UK Prime minister Theresa May has been negotiating for months now.

This means the “no deal scenario” is getting more relevant than ever.

Apart from all the economic consequences, there will also be a huge impact on the transfer of personal data between the EU and the UK. 

In the event of a no deal Brexit, on 29 March 2019 the EU GDPR (the EU’s General Data Protection Regulation) will be brought into law in the UK through the European Union (Withdrawal) Act 2019. If a withdrawal agreement comes into effect, and with it a transition period, the EU GDPR may also continue to be applicable in the UK as an instrument of EU legislation. 

But on the expiry of any such transition period, or in the event of a no deal Brexit, the country will have its own, standalone regime - rooted in the EU GDPR but capable of modification by future UK governments (the “UK GDPR”).

In this case, the UK becomes a “third country” as described in chapter V of the EU GDPR

That would mean that any transfer of personal data between the EU and the UK must meet one of the legal requirements as set out in the EU GDPR.

On the 13th of December 2018, the UK government already stated that they will grant an adequacy decision to the 27 EU member states in case of a no deal scenario.

This decisions states that: 

  •  the EEA Member States are recognized as “adequate” for the purpose of the UK GDPR (allowing the free flow of personal data from the UK to the EEA)

  • the UK will adopt adequacy decisions to date by the EU, allowing transfers of personal data to continue from the UK to countries such as Guernsey, Israel and US companies which are Privacy Shield signatories

  • they will recognize the EU standard contractual clauses as a valid means of transferring personal data from the UK to international recipients outside of the EEA

However, no indications so far show that the EU will mirror these statements.
In this case, multiple scenarios are possible and these scenarios will determine what companies will need to do to remain compliant:

  1. The EU grants the UK an adequacy decision. Meaning : the EU considers that the UK adequately protects data, so transfer of personal data can be continued without any further protective measures.

    However, the EU already made clear that this is not going to happen in short notice, as they have no guarantees that UK legislation will continue to protect data in the same way Europe does.
    The procedure to grant an adequacy decision could start no sooner than the 29th of March 2019, when the Brexit official is a fact and typically takes several months, if not years.

  2. More likely: No deal and no adequacy decision, so the UK becomes a third country and companies processing personal data from people in Europe, will need to comply to the GDPR on their own.

    • Appoint representatives
      Both the EU GDPR and the UK GDPR will require controllers to appoint representatives as required by Article 3(2) of the EU GDPR. UK GDPR will replicate this requirement.

    • Relations with supervisory authorities
      Organizations that are in scope of both EU GDPR and UK GDPR after the Brexit (regardless of the “deal” or “no deal” scenario) will be under the jurisdiction of at least two supervisory authorities.
      As long as it remains unclear how this will be handled, companies will need to comply with the ICO for the UK part, and choose a lead supervisory authority in the 27 remaining EU countries for any cross-border transactions.

    • Role of the DPO

      Where a DPO has been appointed, organizations should consider whether that DPO can still perform that role under both regimes, given that in the future, that person will need to have suitable expertise in both EU and UK privacy laws.

    • Remain compliant

      On Brexit, a number of steps are important to remain compliant, both for companies in Europe and in the UK :

  • Update your existing policies and procedures like privacy notices, register of processing activities, Binding Corporate Rules etc…

  • Make sure you have appropriate safeguards in place when transferring data to and from the UK

  • For UK companies operating across Europe: review structure, processing operations and data flows to make sure they apply to the changed situation.

  • Review all privacy information and internal documentation to identify and details that will need updating on Brexit

Both the ICO (Information Commissioner’s Office) and the Irish Data Protection Commission have posted guidelines on what British companies should do if that becomes reality on the 29th of March 2019.

GDPR : Legal or IT stuff

We've assigned our corporate legal department 
to take care of the GDPR

You can't argue that, for sure. The GDPR is a regulation, with 99 articles, together with 173 recitals. So there is no discussion : this is the domain for lawyers and legal counsels.
So it is understandable that companies think of their legal department first to assess the impact of the GDPR on their activities.

And if all goes well, your lawyer will translate the regulation into readable and understandable instructions, and provide you with a prioritised list of topics for your business. He will also interpret certain articles that the European regulator left open for discussion, and, based on his own experience, advise you how to tackle them.

But unfortunately, from that moment on, you will have to take care of things yourself. Indeed, the instructions of your lawyer will need to be implemented into your organisation.
Your staff needs to be trained and the necessary awareness created. Policies and procedures need to be put in place and all processing of personal data must be registered.
You will probably need a number of processing agreements with suppliers with whom you share personal data, you will need templates for consent forms ...
You will need an adequate procedure to respond in case of a data breach and when an individual wants to execute his rights as a data subject, you will have to make sure he gets a proper answer in due time.

And, although your lawyer is certainly a key person in this project, he generally is not the most appropriate party to take care of this practical approach.

On top of that, a very important aspect is the integrity, confidentiality and security aspect of personal data, requested in article 5 of the GDPR. And by extension of all your data.
Indeed, what's the use of having a clear privacy statement on your website, of allowing your contacts their right of erasure, right of rectification, right to object etc...., if you cannot guarantee the security of those data. And also for these aspects of the GDPR, your lawyer or legal counsel will rely on the information security specialists to take care of things.

Precisely in these domains, our proven approach will help you to plan, budget and implement the GDPR in your organisation.

Based on the ISO27001 framework, we have developed a system that gives you a clear view on your current situation. You get an overview of all domains of information security, off course with clear references to the GDPR. It all starts with a number of interviews of key people in your organisation. A list of specific questions gives us a detailed insight on your way of working and potential issues for your information security. The results of those interviews are summarised in a practical dashboard that will be the guideline for future actions and improvements.

Together with your management team, your legal counsel and your IT-staff, we budget, prioritise and plan the necessary actions. We start with the low hanging fruit, so you can immediately show some results and assist you all the way in becoming GDPR compliant.

And if, in a later stage, you want that official ISO27K certification, you are already on the right path…

Contact us via privacy@serve-it.be for more information.