What are the implications of Brexit on the use of data?

Introduction

What are the implications of Brexit on the use of data? A question asked by many, and one I asked Andrew Roberts to help answer in this blog.

Here’s a summary:

The EU GDPR remains in place after Brexit
The UK Data Protection Act 2018 takes over
The UK DPA 2018 enshrines the GDPR in UK law anyway so there is little practical change
For clarity, this means there is an EU GDPR and a separate UK GDPR, which are currently the same
UK companies need to abide by both if they have data on residents of the European Economic Area (EEA) in their databases
This is because the UK DPA and GDPR relate to data processed in the UK, even if the personal data content does not relate to UK residents

Considerations

There are 3 main issues to consider after Brexit. These are:

Do you need to set up special arrangements when transferring data to and from the UK?
Do you need to ‘engage’ someone to represent you from a GDPR point of view in the EEA?
Are your policies and procedures up to date?

When you might be affected

If you do not have information in any databases on individuals that are resident in the EEA and you do not send data to any processors in the EEA then you may need to update your documentation (data protection policies, privacy policies etc), to make sure they reference the UK DPA 2018 and UK GDPR, but that should be the limit of what is needed.

Arrangements needed if you transfer data

Under the GDPR (UK and EU), data should not be transferred across a country’s border unless the destination country is considered ‘adequate’ by the data protection authorities, unless safeguards are in place.

Transferring data from UK to EEA

The UK considers EEA countries to be ‘adequate’ and so no special provisions are required that relate to cross-border transfer of data.

Transfers from EEA to the UK

The EU has made an interim adequacy decision on the UK, valid until June 2021. In other words, the EU considers the UK to be an adequate country until the end of this ‘bridging’ period.

There are a couple of issues to overcome in getting a permanent adequacy decision, but it is looking probable (but not definite) that the UK will be seen as ‘adequate’ by the EU. If the UK is not defined as adequate after June 2021, then if any transfers of data are made to the UK from the EEA, they need to be covered by specific arrangements.

Arrangement types

These special arrangements include:

Standard contractual clauses (SCCs).
There is a new version of the SCCs due out, but the new versions have not been finalised yet.
The old ones can be used until these have been finalised.
Note that the model clauses in the SCCs must not be altered. You can add business clauses to them and (so long as they don’t contradict any of the model clauses), and you can exclude the footnotes and ancillary notes in the SCCs.
If the transfers are done under contract (e.g. employment contracts)
And a few other mechanisms – codes of conduct, binding corporate rules as examples

You should also conduct a risk assessment (probably in the form of a Data Protection Impact Assessment) if transferring data from the EEA to the UK.

If you have data being transferred to you from the EEA, then if the UK is not considered to be ‘adequate’ at any point by the EU, you will need to put these new measures in place.

Note that this is not completely straightforward. As an example, if you have data which contains data on EEA residents located in a cloud server in Dublin (located in an EEA country), then you will be able to transfer data to the cloud server with no issue (as the UK recognises Ireland as an adequate country), but you will need to be covered by SCCs or other mechanism to be able to transfer data back to the UK (if the UK is not considered adequate by the EU).

Do you need to ‘engage’ a representative in the EEA?

If you do not have an establishment in the EEA then you may need to engage a representative based in the EEA so that statutory authorities and individuals know who to contact about privacy issues.

You can’t just pick a random person, these people need to know what they are doing. They could also shoulder the liability if you are sued because of data protection compliance issues. And in some instances, statutory authorities are contacting the data controllers direct anyway…

These representatives should not also be your Data Protection Officer (DPO) – the role of the DPO is an advisory one and the role of the representative is to gather information on what you do. The representative should not advise you on what to do.

If you do have an establishment in the EEA, then you will be able to register with the statutory authority in the country of your establishment.

If you ‘control’ data on EEA residents then you need to evaluate:

Do you process this data regularly or occasionally?
Does it contain special category data or information on criminal convictions?
If the data escaped from your control, would it present a high or low risk to the rights and freedoms of the individuals?

If your answers to the above questions are:

Occasionally
No
Low risk

Then you do not need to engage a representative.

If your answers are anything else, then you should engage a representative.

You will also need to tell data subjects and supervisory authorities in the EEA who the representative is, either at the point of collection or through a data privacy notice (as you should be doing anyway, and where you are supporting the data subjects’ right to be informed).

Selecting a representative

A representative:

Must be authorised (i.e. you need contracts)
Must be capable of maintaining a record of the processing done in the EEA countries
You will need to create and maintain the record of processing yourself and then pass this record over to the representative

If you control data in multiple EEA countries, we believe that you only need to engage a representative in one of the EEA countries. This should be the country about which most data is processed. (e.g. if you hold data mostly on French EEA residents then you should engage an agent in France).

One-stop shop

After Brexit, the ICO will no longer be a part of the one-stop shop arrangement. This is where, if there are actions that supervisory authorities need to take (e.g. investigate complaints) then whichever the EEA country is, the action should be co-ordinated through a single authority.

For example, before Brexit, if complaints were raised by data subjects in France, Germany and Spain about an organisation spamming from the UK, then the relevant EEA authorities channelled their investigations through the ICO.

After Brexit, the one-stop shop arrangement with the UK has dissolved, and the EEA authorities will contact the UK company direct, and so you may have to deal with multiple countries’ supervisory authorities.

If you have an establishment in the EEA then you would be covered by the one-stop shop. If you have a representative in the EEA but no establishment, then the one-stop shop would not cover you.

Policies and procedures

You need to make sure that references to the GDPR are clarified as to whether you are covered by the EU GDPR and/or the UK DPA/GDPR 2018.

Note: Geography

The GDPR has been created by the European Union (EU) and covers the residents of some additional countries, namely those within the European Economic Area (EEA). The terms are not quite interchangeable as the non-EU EEA countries do not have input on the EU GDPR.

About Andrew Roberts, Blue Tortoise

With a long background in data management, Andrew set up Blue Tortoise around six years ago and now helps businesses with data cleansing and management, specialising in the complex and often confusing world of GDPR.

Andrew helps businesses by writing their all-important GDPR policies and Blue Tortoise also offers an advisory service to marketing teams to help them navigate the laws around accessing and using data to contact prospective and existing clients. As part of this, he can help teams to achieve the sensitive balance between minimising risk and maximising opportunity.

The majority of Andrew’s experience has been gained working with high technology firms such as Oracle, McAfee and Juniper Networks. Blue Tortoise also delivers online training for business teams looking to demystify GDPR, covering how it impacts marketing activities, suggesting workflows to implement to help navigate the law successfully.

Andrew studied Zoology at degree level and keeps this passion alive by bird watching and growing orchids and carnivorous plants in his spare time.

About Julia Blake, Blake Consultants

Julia has been helping businesses and their owners to be more successful for over ten years. She describes herself as a catalyst for growth and focuses on systems and processes to build healthy and robust foundations to set her clients up for success.

Ensuring compliance in respect of GDPR is a major element of having the right systems and processes and Julia’s GDPR Compliance Roadmap Toolkit is a popular offering from Blake Consultants.

Julia’s background was spent in the software and banking industries along with her degree in International Business is the perfect backdrop to assist her clients with growth and efficiency, helping them to overcome challenges and maximise their opportunities.

Julia loves spending time with family and taking in the great British countryside with her dog, Barney.

Team Work: Blake Consultants and Blue Tortoise

Andrew and Julia joined forces in 2017 to combine and supercharge their GDPR offering. Together, they help business owners make sense of the legislation and keep pace with changes in Data Protection law. GDPR and the awareness it brought about data to organisations means that Andrew and Julia continue to help many business owners understand and make the most of one of the most valuable resources a business has – its data.

Need more help?

You can find lots of advice, guidance and help on the newly-created DP Training website and you can contact Julia and Andrew by clicking here to arrange a time for a chat.