What to do in a No-Deal-Brexit Scenario
What happens to your GDPR Compliance
Program in the event that the UK leaves the EU without striking an agreement
with the EU. Here is a summary of
actions you will likely need to take, followed by a more detailed explanation.
- Revise your
standard contractual clauses for transfers from the EU to the UK
- Ensure you
appoint an Article 27 representative in both the UK and the EU.
- Register
with a supervisory authority in both the UK and the EU
- Make
revisions to your privacy policy to refer to both the UK and EU laws,
identifies the supervisory authority and the company’s representative in
both the UK and the EU
- Review DPIAs
to ensure compliance with both sets of laws.
According to the ICO (the UK Data Privacy
Supervisory Authority), the UK government intends to incorporate the GDPR
directly into UK law upon Brexit (UK GDPR).
The UK GDPR together with the Data Protection Act 2018 will comprise the
UK’s data protection scheme. Existing GDPR compliance programs must continue to
apply those protections to personal data of UK data subjects.
Nevertheless, data controllers and
processors will need to make changes to their data privacy and protection
practices before a No Deal Brexit. In particular, companies will need to make
adjustments with regard to the following:
Data Transfers
Most likely the most burdensome issue. Since the
European Commission determines whether a country outside the EU offers an
adequate level of data protection, transfers of personal data to such countries
are not automatically deemed “adequate.” Thus, until there has been an adequacy
determination, transfers of personal data between the EU and the UK can be made
only subject to certain protections, such as Standard Contractual Clauses (SCCs).
The length of time it will take to obtain an
adequacy determination from the European Commission is unknown, and there is no
assurance that such a decision will be made quickly. Be prepared to implement interim safeguards and
understand how personal data flows from within and out of the UK. Identify
which data transfers will be problematic.
Adopt appropriate transfer mechanisms.
Transfers from the EU to the UK. If your company transfers EU personal data to the UK, you will need to
ensure adequate safeguards are in place or that one of the exceptions in GDPR
Article 49 applies. For some companies, the only available data transfer
mechanism will be SCCs. Identify all such data transfers now and begin the
process of entering into SCCs with entities to which your company transfers
data, such as vendors, customers, and even internal corporate affiliates, so
these agreements are in place before Brexit.
Transfers from the UK to the EU. If your company transfers personal data from the UK to the EU, the ICO has
indicated that post-Brexit transfers from the UK to the EU will not be
restricted. Although no specific action
is required concerning these transfers, best practice suggests that you keep
these transfers under review.
Transfers from the UK to the countries outside the EU. There will not be changes to the rules that govern theEUse changes, as
they will have already been in place. It is expected that the UK government
will confirm existing adequacy decisions and the SCCs.
Article 27 Representatives
By now you will have appointed a data protection
officer (DPO), whether internally or engaged an external one. This is required, with some exception, by the
GDPR. If your DPO is located in the UK,
that DPO will only be valid for compliance within the UK. Conversely, if your DPO is situated in the
EU, an additional DPO must be appointed in the UK. As a result, to remain in compliance with
both the UK and the EU companies will need to appoint two DPOs one in the UK
and one in the EU.
Lead Supervisory Authority
Under the GDPR, companies with a physical presence
in the EU, and that engage in “cross-border processing,” are
permitted, but not required, to choose a lead supervisory authority (LSA). The
LSA then coordinates “cross-border processing” issues across the EU
and has primary responsibility for conducting investigations into the company’s
data processing activities and responding to its compliance inquiries. When choosing
an LSA, it should be where the company’s headquarter is located, or if no
headquarters, then the place where decisions about the purpose and means of
processing are made. Following Brexit, companies whose “main establishment” is
in the UK will no longer be able to designate the ICO as their LSA. Moreover,
unless those companies physically move the operations where their decisions
about the processing of personal data are made to an EU country, they may lose
the ability to designate an LSA altogether, leaving them subject to regulation
by multiple EU data protection authorities.
Data Protection Officers
The ICO’s guidance states that Data Protection
Officers (DPOs) appointed by a company may continue in that role and combine
their UK responsibilities with ongoing EU responsibilities, so long as
“they have expert knowledge of both UK data protection law and the EU
regime and are ‘easily accessible’ from both locations.” Because the UK
GDPR will mirror the GDPR, your DPO who already possesses knowledge of the GDPR
will also necessarily possess knowledge of the UK GDPR. Your DPO should also
possess knowledge of the Data Protection Act 2018, which took effect at the
same time as the GDPR.
Privacy Notices
Although, information required in your privacy
notice is unlikely to change references to EU law and the identification and
contact information for the DPO and the LSA may need to be changed. If your U.S.-based company participates in
the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks you will need to update
your privacy notice by March 29, 2019, to affirm that your commitment to the Privacy
Shield extends to UK personal data.
Article 30 Records of Processing
Changes to the information you are required to
document are not likely. You may need to review certain of your processing
activities involving data transfers to the UK and update your records
accordingly. For example, you may now have to classify certain personal data as
being subject to international transfer rules and document under which adequate
safeguards it was transferred.
Data Protection Impact Assessments
Existing assessments may need to be reviewed to
determine whether they cover international data flows that become restricted
after Brexit.
If you have questions or concerns please contact me for assistance.