As anyone who has wrestled with implementing GDPR in May 2018 will know, the European Union has a particularly stringent take on how businesses should handle personal data. So, will Brexit mean that British businesses can breathe a sigh and go back to their devil-may-care ways? Or will GDPR compliance mean that your company is all ready to work with EU clients without feeling the effect of Brexit?
No - on both counts. To make sure that your business’s data practice is fully ready for Brexit you’ll need to make sure that your business still abides by both the EU’s General Data Protection Regulations (GDPR) and the UK’s Data Protection Act 2018 (DPA 2018) – and you may need to put extra measures in place too.
If the UK leaves the EU on October 31st, it will no longer be automatically considered ‘data adequate’ by the EU. This has implications for the ‘flow’ of personal data between the European Economic Area (EEA) and the UK. The UK has already said that it will allow personal data to flow to the EU – but the EU has, as yet, not made a similar commitment around EU personal data flowing to the UK.
So. What does all of this mean for your business? Here are the tools and rules you need to check out to make sure you face as little data disruption as possible.
1. Sorry, There’s No Avoiding It
You don’t have to be a digital agency handling terabytes of consumers’ personal info - issues around data compliance impact all businesses. According to the Information Commissioner’s Office (ICO) personal data is: “information that relates to an individual. That individual must be identified or identifiable either directly or indirectly from one or more identifiers or from factors specific to the individual.”
So not just mailing lists and research, but employee information too. That means it’s an issue that doesn’t just apply to digital agencies processing huge swathes of info. “If there is any transfer of personal data, regardless if it be a small volume or large volume, it is subject to GDPR,” says Konrad Shek, strategic policy adviser.
2. … But There Are Work Arounds
The EU may not have decreed the UK data adequate but that doesn’t mean that your data flow needs to grind to a halt. There are certain recognised safeguards that you can adopt – the most pertinent being Standard Contractual Clauses (SCCs)
“They are invaluable and we recommend looking closely at the guidance on the ICO website,” says Konrad Shek.
Don’t let the legalese put you off, these are seriously handy. A set of standard contractual terms that can be incorporated into wider contracts that cover the terms of business. Even better, if you’re a small or medium sized organisation, the ICO
has created a tool on their website that help you figure out if SCCs are right for you – and templates to help you generate your own SCCs. Remember, while you can incorporate an SCC into a contract do not alter or modify it because that will render it no longer effective.
If you’re a multinational company with offices in the UK and EEA countries and you want to share data, you’ll need to put ‘Binding Corporate Rules’ in place. You can find out more about them here
When it comes to data transferred between the EU and the US, the US has established the US Privacy Shield framework. If you send data to a US Privacy Shield organisation, the Privacy Shield participant will need to update their public commitment to specifically reference the UK, in addition to the EU. There is further information on the US government’s Privacy Shield website
3. You Might Need Data Representatives
If your business is UK-based and is involved in the transfer of personal data from the EEA but does not have an office in any other EU country will need to appoint a data representative in the main country in which they are transferring data from. This is for local data protection authorities to liaise with in the event of a data breach.
Your data representative may be an individual, or a company or organisation established in the EEA, and must be able to represent you in respect of your obligations under the EU GDPR (it could, for example, be a law firm, consultancy or private company). In practice the easiest way to appoint a representative may be under a simple service contract.
4. One Stop Shop?
UK businesses processing personal data of customers and clients in other EEA countries have, to date, been able to use the UK’s ICO as a ‘one stop shop’ point of contact as their lead Data Protection Authority. Depending on the set up of your operations, you might not be able to continue to rely solely on the ICO in this way after Brexit. So head to the ICO website and review your operations to establish what steps your specific business needs to take. There’s a full run down here
5. Support and Useful Links
Regularly check the GOV.UK website
for updates. The ICO has a page dedicated to Brexit
that covers the implications for data protection and data transfers in more detail and its SCC tool
provides template contracts. If you need more information about your obligations and what you need to do to comply, we recommend seeking legal advice.