Brexit, Your Data, Your Business And You
If your business has any international element then this is for you.
With the increased uncertainty about BREXIT now’s the time to prepare and have some contingencies in place regarding your data so that your business is protected as we move through the transition.
In this blog we aim to help clarify some of the uncertainty you may be experiencing – if you would like to discuss how your business may be affected then contact us so that we can talk about the specific issues which may affect your business.
There are two key parts to consider:
1. International transfers
The GDPR regards any other country in the EU (actually the EEA) to have a comprehensive approach to data protection. This means that data can be transferred across EEA country borders freely (subject to specific security controls).
In a hard Brexit, we’ll no longer be a part of the EU and we will transition to being a ‘third-country’. Data can still be transferred to UK organisations, but the UK organisations will have to put in place one of several bureaucratic guarantees.
Probably the simplest to put in place is EU model clauses, which are similar to the kind of guarantees that data processors need to have in place with each data controller. These model clauses are not onerous, but it is worth looking through them now and seeing whether there is any security infrastructure that needs to be put in place, or legal hoops that you need to clear so that you can get model clauses signed quickly if the need arises.
In a soft Brexit it is our understanding that as we will be part of the EU until everything is finalised things remain as they are today.
2. One-stop shop
Under the GDPR, if anyone in the EU and outside of the UK currently makes a complaint about a company in the UK, then the ICO will handle it.
The ICO has the remit under a ‘one-stop shop’ system to co-ordinate complaints that are submitted to any other EU supervising authority. So for example, if a UK organisation had somehow made data subjects in Spain, Germany and France complain to their relevant supervising authorities about their conduct, then these supervising authorities would forward all of the complaints to the UK’s supervisory authority, the ICO, and the ICO would chase this up with the UK organisation.
If we get a hard Brexit, the one-stop shop will stop. Each one of the supervisory authorities in the EU can chase complaints directly with UK organisations, and UK organisation will have to interact with the differing bureaucracies of the different supervisory authorities. And, the supervisory authorities all have slightly different takes on the GDPR and on all of the ancillary regulations that support data use within the EU.
If we get a soft Brexit, it is expected that the one-stop shop will continue during the transition period, and probably stop once the transition period has finished. One advantage of this is that the ePrivacy Regulations should be completed and rolled out by then and so there will be an even more harmonised set of interpretations of data protection amongst the supervisory authorities.
We have over 35 years experience in Data Legislation, Data Management and Data Protection. If you would like to find out more about how we help businesses with their GDPR compliance please check out our GDPR services or call us on 01635 592020.