Brexit's been delayed until 31 October 2019 and while the government battles to negotiate a deal organisations must prepare for the worst case scenario – a no-deal Brexit.
Firstly, you should continue to comply with the GDPR post Brexit. The GDPR is an EU regulation which applies to EEA countries ("EU GDPR"). When the UK leaves the EU the EU GDPR will no longer be law in the UK, however on exit the government intends to bring the GDPR into UK law ("UK GDPR"). The UK GDPR will have tailored provisions so that it functions in a UK-only context.
Set out below are some key issues you should consider in the event of a no-deal Brexit:
If you're based in the UK and don't have another establishment in the EEA, but you:
- ·offer goods or services to individuals in the EEA; or
- monitor the behaviour of individuals located in the EEA
you still need to comply with the EU GDPR when processing those individuals' personal data following Brexit. Under the EU GDPR you're required to appoint a representative within the EEA. This representative must be based in an EEA country where some of the data subjects whose personal data you're processing are located.
If you require a representative you must authorise them, in writing, to act on your behalf. You'll also need to notify the EEA data subjects whose personal data you're processing of your representative's details, e.g. by updating your privacy notice. The details of your representative need to be readily accessible to supervisory authorities, e.g. publishing them on your website.
You don't need to appoint a representative if:
- you're a public authority; or
- your processing is only occasional, of low risk to the data protection rights of individuals, and does not involve special category (formerly known as "sensitive") or criminal offence data on a large scale.
Interestingly, the reverse is true for non UK based companies. Non UK based companies will need a UK representative if they process the personal data of UK citizens.
Transfers from the EEA to the UK
In a no-deal Brexit scenario the UK will become a third country under the GDPR. Unless the UK applies for and receives an adequacy decision from the European Commission, in which case personal data could be transferred from the EEA to the UK without further additional safeguards, if you transfer personal data from the EEA to the UK you should consider alternative approved transfer mechanisms, such as:
- Standard Contractual Clauses (commonly known as "Model Clauses")
- Binding Corporate Rules
For most organisations the Model Clauses will be the most appropriate mechanism.
Transfer from the UK to the EEA and countries with an adequacy decision
On exit, the government has stated that transfers of personal data from the UK to the EEA will be permitted. This is being kept under review.
Transfers from the UK to US
Following Brexit, the UK won't be able to participate in the EU-US Privacy Shield framework. However, in the event of a no-deal Brexit, UK organisations can still transfer personal data to Privacy Shield certified organisations, provided that such organisations have updated their privacy policies to reflect this.
Transfers from the UK to the rest of the world
The UK GDPR will continue to apply to such transfers, which means that UK organisations will still need to have a legal basis for exporting personal data.
Lead Supervisory Authority
Currently if you carry out cross-border processing, you can benefit from the GDPR One-Stop-Shop system. This means that a single supervisory authority, such as the ICO, acts as the lead supervisory authority on behalf of the other EEA countries. Post Brexit, the ICO won't be a supervisory authority for the purposes of the EU GDPR and so can't be your lead supervisor for cross-border processing. The ICO will continue to be the regulator for the UK GDPR.
While the future of Brexit remains uncertain, organisations should certainly be considering what steps they need to take before 31 October 2019. DWF's Data Protection Team can assist you in navigating the various data protection implications that arise from a no-deal Brexit. Please contact us directly or at DataProtection@dwf.law.
Written by Sarah Moss