Prep for a GDPR Split via a No Deal Brexit
If your organization has not yet started preparing for a no deal Brexit and its implications for your organization’s data privacy practices, now is the time. As expected, the House of Commons in the UK Parliament has declined today to approve Prime Minister Theresa May’s Brexit deal with the European Union. The vote was 432 to 202 to reject the Withdrawal Agreement put in place in November 2018.
The United Kingdom is currently hurdling toward a no deal Brexit on March 29. Although various alternatives are still under consideration, it is time to consider the very real possibility of a hard Brexit and prepare data privacy practices for it while there is still time.
In December, the UK Department for Digital, Culture, Media & Sport (DCMS) provided notice about how its data protection law would work if the UK leaves the EU without a deal. The UK will maintain the data protection framework specified in the Data Protection Act of 2018, which made GDPR UK law. The UK is expected to issue regulations to handle the transition, including regulations to:
– Preserve GDPR standards.
These changes are expected to remove references to the EU and Member State law that will not be applicable once the UK has left the EU.
– Recognize the EU Standard Contractual Clauses and give the ICO the power to issue new clauses.
The Standard Contractual Clauses preserve the ability of organization to make data transfers where there is not an adequacy determination between countries.
– Recognize the Binding Corporate Rules.
The BCRs allow multinational corporations to make internal transfers of within the same corporate group across borders to countries that do not offer an adequate level of protection.
– Maintain the extraterritorial scope of the UK privacy law.
UK privacy law will apply to controllers and processors outside of the UK, including controllers and processors based in the EU.
– Require non-UK controllers to appoint representatives in the UK for processing large scale UK data.
UK intends to adopt the Article 27 requirement to apply to organizations without a presence in the UK.
– Transitionally recognize all EU Member States and Gibraltar as adequate to permit data flows from the UK to Europe.
The UK will not control whether the EU Member States decide to recognize the adequacy of data flows into the UK. The ICO has made clear that it intends to seek an adequacy decision but that the decision would take time to conclude and would not be in place before the UK leaves. Organizations that rely on transfers of data from the EU to the UK will need to put in place other protections such as the Standard Contractual Clauses.
– Transitionally preserve existing EU adequacy decisions.
This will permit personal data transfers from the UK to a number of other countries where there is an existing adequacy determination by the EU. These include: Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the United States of America (via the Privacy Shield framework).
ICO Recommendations
The UK Information Commissioner’s Office (ICO) has also published guidance for businesses on a no deal Brexit. In a blog post in December, UK Information Commissioner Elizabeth Denham pointed to the resources available including its Six Steps to Take guide. These steps included:
1. Continue to Comply.
GDPR standards and ICO guidance will continue to apply.
2. Transfers to the UK
Transfers of data from the EU to the UK will need new safeguards as there is unlikely to be a formal adequacy decision on the level of protection offered by the UK at that time.
3. Transfers from the UK
Transfers of data outside the UK will fall under new provisions and documentation requirements. The rules are likely to remain similar if the UK follows its current plan.
4. European operations
Review operations and data flows to assess the impact on your organization. Organizations that operate in both the UK and elswhere in the EU will need to comply with both data protection regimes. Organizations that have the UK as their lead supervisory authority need to carefully evaluate that relationship. Organizations that are based in the UK and not elsewhere in the EU will need to check to see if they need to appoint a representative in the EEA under GDPR Article 27.
5. Documentation
Review the privacy policy and internal procedures for changes necessary as the UK leaves the EU. References to EU law need to be updated to reflect the change of the UK and there may need to be updated language around international transfers. Data Protection Impact Assessments that involve data transfers between the UK and the EEA may need to be reviewed.
6. Organizational awareness
Keep up to date with the latest information and make sure the key people in the organization are aware of issues.
If you have questions about the implications of Brexit on GDPR, please call Clarip at 1-888-252-5653.
More Blog Posts from Clarip:
First Fines of 100 Data Controllers Over UK Data Protection Fee
EU Issues Opinions on Adequacy of Japanese Data Protections
EU and Japan Recognize Reciprocal Adequacy of Data Protection Laws
The UK’s Brexit White Paper on Data Protection
Contact Clarip for Help with Your Privacy Program
The Clarip privacy software and team are available to help improve privacy practices at your organization. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.
If you are working towards GDPR compliance, we can help through our modular GDPR software. Whether you are starting the process with GDPR data mapping automation, need privacy impact assessment software, or looking to meet ePrivacy requirements with cookie management software, Clarip can help strengthen your privacy program.
If CCPA compliance in 2020 is on your radar, ask us about our California Consumer Privacy Act software. Improve efficiency of responses to data subject access requests with our DSAR software, or provide the right to opt out of the sale of personal information with our consent management platform.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.