GDPR and Brexit: 6 Steps to take
Published: September 24th, 2019
Author: Matt Quinn
The three years since the Brexit vote have been filled with high drama – today’s Supreme Court decision being the most recent example. But amidst all the politics, some of the substance can get lost. What does Brexit mean in practice? What will the consequences be? Much of the focus has, understandably, been on the Northern Irish border, where any disruption of the flow of people, goods and services could have significant consequences. But another area highly exposed to the breakdown of cross-border movement is that of personal data. At the moment, GDPR harmonizes data protection law across all 28 EU Member States. With Boris Johnson currently insisting that the UK will leave the EU on the 31st October 2019 – what will the implications be for UK based data controllers and processors?
Handily, the ICO has produced a six step guide to help organisations stay on the right side of the law in the event of a no-deal Brexit.
Step 1: Continue to Comply.
You should continue to implement GDPR compliance standards and follow current ICO guidance. The Data Protection Act 2018 will remain in place and the government intends to bring the GDPR directly into UK on exit.
Therefore, most GDPR requirements will remain the same. This means the most important step your organisation can take is to ensure you comply with GDPR principles, rights and obligations.
Step 2: Transfers to the UK
You will need to review your data flows and identify where you receive data from the EEA, including from suppliers and processors. Consider what GDPR safeguards you can put in place to ensure that data can continue to flow freely once the UK has left the EU.
Note, if you receive data from organisations in the EEA, the sender will need to comply with the transfer provisions of the GDPR. This means the sender needs to make sure there are adequate safeguards in place (to protect the data), or one of the exceptions listed in the GDPR applies.
Step 3: Transfers from the UK
As part of the exercise above, you will need to review your data flows and identify where you transfer data from the UK to the EEA, or to countries outside the EEA, as these will call under new UK transfer provisions and documentation requirements.
It is important to note that the UK government has stated that, when the UK leaves the EU, transfers to the EEA from the UK will not be restricted. This means you will be able to continue to send personal data from the UK to the EEA without any new/additional requirements.
Rules on transfers to countries outside the EEA are likely to remain similar. In the ICO’s opinion at “this stage you don’t need to take any specific steps. We expect the UK government to confirm that the UK will reflect existing EU adequacy decisions, approved EU Standard Contractual Clauses and Binding Corporate Rules.”
Step 4: European Operations
If you operate across the EEA, you should review your structure, processing operations and data flows to assess how the UK’s exit from the EU will affect the data protection requirements that apply to your organisation. You will need to consider the different data protection regimes, who is your lead supervisory authority and whether you need to appoint a European representative.
Step 5: Documentation
You should review your privacy information and your documentation to identify any details that will need updating when the UK leaves the EU. As the ICO point out, the requirements regarding privacy notices and documentation are unlikely to change. “But you need to identify any references to EU law or other EU terminology and be ready to make changes to reflect UK terminology by the exit date. You also need to review what you say about international transfers and reflect any changes, especially for data transfers between the UK and EEA.”
Related to this, you may also need to review any existing data protection impact assessments if they involve data transfers between the UK and the EEA.
Step 6: Organisational Awareness
Ensure that key people in your organisation are aware of these important issues. Include the above steps in any business planning for leaving the EU, and make sure to keep up to date with the attest information and guidance.
Therefore to avoid getting caught out, organisations simply need to meet all their data protection obligations.
At Apomatix, we have an automated solution that will help you quickly and efficiently assess your GDPR compliance obligations. You can then use our platform to treat any outstanding items.