What happens to your GDPR Compliance\nProgram in the event that the UK leaves the EU without striking an agreement\nwith the EU. Here is a summary of\nactions you will likely need to take, followed by a more detailed explanation. <\/p>\n\n\n\n
According to the ICO (the UK Data Privacy\nSupervisory Authority), the UK government intends to incorporate the GDPR\ndirectly into UK law upon Brexit (UK GDPR). \nThe UK GDPR together with the Data Protection Act 2018 will comprise the\nUK’s data protection scheme. Existing GDPR compliance programs must continue to\napply those protections to personal data of UK data subjects.\nNevertheless, data controllers and\nprocessors will need to make changes to their data privacy and protection\npractices before a No Deal Brexit. In particular, companies will need to make\nadjustments with regard to the following:<\/p>\n\n\n\n
Data Transfers<\/strong><\/p>\n\n\n\n Most likely the most burdensome issue. Since the\nEuropean Commission determines whether a country outside the EU offers an\nadequate level of data protection, transfers of personal data to such countries\nare not automatically deemed “adequate.” Thus, until there has been an adequacy\ndetermination, transfers of personal data between the EU and the UK can be made\nonly subject to certain protections, such as Standard Contractual Clauses (SCCs).\n<\/p>\n\n\n\n The length of time it will take to obtain an\nadequacy determination from the European Commission is unknown, and there is no\nassurance that such a decision will be made quickly. Be prepared to implement interim safeguards and\nunderstand how personal data flows from within and out of the UK. Identify\nwhich data transfers will be problematic. \nAdopt appropriate transfer mechanisms.<\/p>\n\n\n\n Transfers from the EU to the UK.<\/em> If your company transfers EU personal data to the UK, you will need to\nensure adequate safeguards are in place or that one of the exceptions in GDPR\nArticle 49 applies. For some companies, the only available data transfer\nmechanism will be SCCs. Identify all such data transfers now and begin the\nprocess of entering into SCCs with entities to which your company transfers\ndata, such as vendors, customers, and even internal corporate affiliates, so\nthese agreements are in place before Brexit. <\/p>\n\n\n\n Transfers from the UK to the EU.<\/em> If your company transfers personal data from the UK to the EU, the ICO has\nindicated that post-Brexit transfers from the UK to the EU will not be\nrestricted. Although no specific action\nis required concerning these transfers, best practice suggests that you keep\nthese transfers under review. <\/p>\n\n\n\n Transfers from the UK to the countries outside the EU<\/em>. There will not be changes to the rules that govern theEUse changes, as\nthey will have already been in place. It is expected that the UK government\nwill confirm existing adequacy decisions and the SCCs.<\/p>\n\n\n\n Article 27 Representatives<\/strong><\/p>\n\n\n\n By now you will have appointed a data protection\nofficer (DPO), whether internally or engaged an external one. This is required, with some exception, by the\nGDPR. If your DPO is located in the UK,\nthat DPO will only be valid for compliance within the UK. Conversely, if your DPO is situated in the\nEU, an additional DPO must be appointed in the UK. As a result, to remain in compliance with\nboth the UK and the EU companies will need to appoint two DPOs one in the UK\nand one in the EU.<\/p>\n\n\n\n Lead Supervisory Authority<\/strong><\/p>\n\n\n\n Under the GDPR, companies with a physical presence\nin the EU, and that engage in “cross-border processing,” are\npermitted, but not required, to choose a lead supervisory authority (LSA). The\nLSA then coordinates “cross-border processing” issues across the EU\nand has primary responsibility for conducting investigations into the company’s\ndata processing activities and responding to its compliance inquiries. When choosing\nan LSA, it should be where the company’s headquarter is located, or if no\nheadquarters, then the place where decisions about the purpose and means of\nprocessing are made. Following Brexit, companies whose \u201cmain establishment\u201d is\nin the UK will no longer be able to designate the ICO as their LSA. Moreover,\nunless those companies physically move the operations where their decisions\nabout the processing of personal data are made to an EU country, they may lose\nthe ability to designate an LSA altogether, leaving them subject to regulation\nby multiple EU data protection authorities.<\/p>\n\n\n\n Data Protection Officers<\/strong><\/p>\n\n\n\n The ICO’s guidance states that Data Protection\nOfficers (DPOs) appointed by a company may continue in that role and combine\ntheir UK responsibilities with ongoing EU responsibilities, so long as\n“they have expert knowledge of both UK data protection law and the EU\nregime and are \u2018easily accessible’ from both locations.” Because the UK\nGDPR will mirror the GDPR, your DPO who already possesses knowledge of the GDPR\nwill also necessarily possess knowledge of the UK GDPR. Your DPO should also\npossess knowledge of the Data Protection Act 2018, which took effect at the\nsame time as the GDPR.<\/p>\n\n\n\n Privacy Notices<\/strong><\/p>\n\n\n\n Although, information required in your privacy\nnotice is unlikely to change references to EU law and the identification and\ncontact information for the DPO and the LSA may need to be changed. If your U.S.-based company participates in\nthe EU-U.S. and Swiss-U.S. Privacy Shield Frameworks you will need to update\nyour privacy notice by March 29, 2019, to affirm that your commitment to the Privacy\nShield extends to UK personal data. <\/p>\n\n\n\n Article 30 Records of Processing<\/strong><\/p>\n\n\n\n Changes to the information you are required to\ndocument are not likely. You may need to review certain of your processing\nactivities involving data transfers to the UK and update your records\naccordingly. For example, you may now have to classify certain personal data as\nbeing subject to international transfer rules and document under which adequate\nsafeguards it was transferred.<\/p>\n\n\n\n Data Protection Impact Assessments<\/strong><\/p>\n\n\n\n Existing assessments may need to be reviewed to\ndetermine whether they cover international data flows that become restricted\nafter Brexit.<\/p>\n\n\n\n If you have questions or concerns please contact me for assistance. <\/p>\n","protected":false},"excerpt":{"rendered":" What to do in a No-Deal-Brexit Scenario What happens to your GDPR Compliance Program in the event that the UK leaves the EU without striking an agreement with the EU. Here is a summary of actions you will likely need to take, followed by a more detailed explanation. Revise your standard contractual clauses for transfers … Continue reading <\/span>