The odds of the UK crashing out of the European Union without a deal have shrunk since the Commons voted to take control of the parliamentary agenda but it remains a strong possibility that could have serious implications on data transfers between the UK and the EU.
When the UK leaves the EU, it will no longer be governed by GDPR, but the fundamental principles, obligations and rights of the regulation have been retained by the EU Withdrawal Act, which also allows the government to make amends necessary to ensure it works in the UK.
These amendments will largely relate to replacing references to EU institutions and procedures with terms that make sense to a UK that is no longer part of the bloc, such as swapping “Union or Member State law” with “domestic law”. But some of the changes will require more than just rephrasing.
On the exit date, the EU will designate the UK as a “third country”, which will need to prove it has adequate protection for any data transfers to the EU.
Data adequacy
The European Commission is expected to eventually provide the UK with an 'adequacy decision' that decides if Britain's data measures meet its standards. The domestic Data Protection Act 2018 is closely aligned to GDPR, but the EU will not enter into decisions about that until after Brexit.
Until then, organisations in the UK will have to put in place one of the appropriate safeguards listed in the GDPR, described in detail here by the ICO.
The most straightforward way of doing this is through Standard Contractual Clauses (SCCs) signed by both the sender and the recipient of the data. They contain contractual obligations to comply with the GDPR’s requirements in territories which are not considered to offer adequate data protection
“Standard contractual clauses are a fixed form of wording that you can add to a contract,” Helen Goldthorpe, an associate solicitor in the company and commercial department of Shulmans LLP, tells Computerworld. “The benefits are that it's relatively simple to put in place. Because it is standard wording, it doesn't need too much negotiating and most reputable companies will be relatively comfortable with them.”
Standard contractual clauses (SCCs) are relatively simple to implement and the UK government will continue to recognise the European Commission-approved standards for SCCs after Brexit. You can determine whether you need SCCs by using an interactive tool developed by the ICO, which also offers template SCCs and guidance on how to complete them.
Organisations that use SCCs need to treat them as more than just a paper exercise.
“You really have to do make sure the parties in the contract are capable of abiding to those standard contractual clauses,” adds Barry Cook, privacy and group data protection officer at outsourcing and technology services giant VFS Global.
“And there is an obligation, of course, on the sending party to ensure that the receiving party does indeed comply to the standard contractual clauses, so it may involve more intensive auditing by the sending party to actually demonstrate to the receiving party that it's compliant.”
Alternative safeguards
SCCs are not always the best choice of safeguard. The advantage of standardisation that they provide can become a weakness for more complex data processing done by large organisations, which may require hundreds of SCCs to cover their operations.
A more efficient alternative could be 'binding corporate rules', which allow multinational companies to transfer data from the European Economic Area (EEA) to multiple affiliates outside the EEA. These are tailored to the needs of an individual business, but they can be costly to create and involve a lengthy application process.
If one of the parties can’t enter into a binding contract, administrative arrangements are another potential safeguard.
None of this will be required for organisations that don’t transfer data from the EU to the UK.
They will still be able to send personal data from the UK to the EEA and the 13 countries that the European Commission has deemed to provide fully adequate data protection, as the British government has confirmed that the current data protections provided by EEA countries are sufficient for these transfers.
Data transfers to the US can also continue, under the terms of the EU-US Privacy Shield framework, as long as the US organisation has updated its public commitment to the framework to confirm that it will apply to transfers of personal data from the UK. Confirmation of this update is normally available on the US organisation’s privacy policy.
EEA representatives
If an organisation is based in the UK, and not in any other EEA state, but offers goods or services to individuals in the EEA, or monitors their behaviour, the organisation will also need to appoint a local representative in the EEA.
Public authorities or organisations whose processing is only occasional, low-risk and does not involve special category or criminal offence data on a large scale are exempt from this requirement.
The issue of EEA representation proved somewhat problematic for Dubai-based VFS Global, which had previously used the UK as its EEA base. The vote to leave the EU has forced VFS to transfer staff and its data centres from the UK to mainland Europe.
“There's massive impact on things like corporate structure, taxation and moving your finances around, which is not really spoken about much in the press,” he says.
“There's a lot of hype around that data transfer, but transfer of funds effectively offshore, as it would be post-Brexit, is probably an equally big concern for multinational companies operating in Europe.”
Crucial preparations
The ICO recommends that organisations follow six steps to ensure that their data flows remain effective and legal:
- Continue to comply with GDPR standards.
- Review data transfers you receive in the UK from the EEA and put in safeguards to ensure it can continue to flow.
- Review data transfers from the UK to countries outside it, as these will fall under new domestic provisions.
- Review the structure, processing operations and data flows of any operations across Europe to understand how Brexit will affect the applicable data protection regime.
- Review privacy information and internal documentation and make any necessary updates.
- Update the relevant staff on any key issues.
Goldthorpe advises organisations to start with the basics and work out where their data is hosted and where it is going.
“I would make sure that your GDPR compliance is as good as it can be, because one thing you find in this area is the ICO doesn't proactively investigate anyone really, except perhaps Facebook,” she says.
“Issues tend to come to their attention when there's a problem, so the more secure your systems are from a general information security point of view, the less likely the ICO is to ever look at it.
“That's not an excuse for not doing it in terms of practical tips. It's actually more important than some of the legal stuff to get the security right.”