The nation may be divided on Brexit but one thing is agreed: it is imperative that business owners arm themselves with as much information about potential disruption as possible. One area that you may not have considered is data protection. This may be because we have only just recovered from GDPR, so surely this cannot be changing again.
However, when the UK leaves the EU, GDPR will cease to have direct effect in the UK. The good news is that UK businesses that comply with GDPR and have no contacts or customers in the EEA don’t need to do much more to prepare for data protection post Brexit. Nevertheless, many small businesses do trade with our European counterparts.
In short, the GDPR imposes restrictions on the transfer of personal data to a ‘third country’. The UK Government has stated that following Brexit it does not intend to apply these restrictions on transfers of personal data from the UK to the EEA. Therefore, UK organisations will continue to be able to send personal data to organisations in the EEA.
The EU, however, has not granted similar modification in respect of transfers to the UK. Post-Brexit, transfers of personal data from the EEA to the UK will be restricted. This will have a major impact on organisations that routinely transfers personal data from the EU to the UK (such as UK organisations with customers in the EU).
Organisations may therefore need to adopt specific legal safeguards to support the lawful transfer of personal data to the UK, consistent with the requirements in Chapter V of the GDPR.
The UK still hopes to secure an ‘adequacy’ finding from the EU that will remove the need for specific safeguards and the EU has indicated that it is prepared to consider this, but not until the UK has formally left the EU. Following that an adequacy decision is unlikely within the first 12 months after exit day.
If an organisation has data processing activities in both the EU and UK, following Brexit it is likely that the organisation will be subject to regulatory responsibilities under EU and UK legislation. As such, this may result in additional compliance requirements such as appointing a separate data protection office (DPO) for both the UK and the EU.
There are a number of things that businesses can be doing now. This includes adopting Standard Contractual Clauses (SCCs) in their agreements. These are provisions which have been approved by the EU as a legal basis to safeguard the transfer of personal data to third countries. It is important to be aware that SCCs cannot be used to safeguard all transfers so it is best to take advice before doing this.
Businesses can also ensure that all references in records, contracts and notices to the EU/EEA are updated to reflect the post-Brexit position of the UK being outside the EU. This may require changes to records of processing activities, insofar as these are affected by Brexit, Privacy Notices, which should refer to any data transfers to ‘third countries’ and include correct details of any DPO, local representative and/or lead supervisory authority. It is also advisable to review contracts with third parties to ascertain if they include specific reference to the GDPR, EEA or anticipate a data transfer between the EU and the UK.
To discuss any matters relating to the above or any other commercial or corporate requirements, please contact Greg Vincent, Partner in the Corporate and Commercial Team on 0208 971 1033 or by email on [email protected].