Preparing for no-deal: Consequences on data protection

As discussions around Britain’s departure from the European Union are still ongoing, it is important that companies prepare for any potential scenario. In this piece, we analyse what could happen should the UK leave the EU on 29 March 2019 without having reached an agreement with the EU.

In this scenario, the EU and the UK will have failed to sign an agreement governing the future relationship between the two parties and, therefore, the UK will immediately leave the EU’s institutional structures without a transition period.

What does this scenario mean for data sharing? 

In a nutshell, should the UK leave without a withdrawal agreement, it will become a third country under the GDPR.

The ICO has just published a long guidance on the practical implications, and it is crucial that companies prepare contingency plans to ensure business continuity.

To determine whether your company will be affected, it is necessary to ask whether the business falls under one of these categories: a UK based organisation receiving personal data from the EEA, or a UK based organisation sharing data with countries deemed adequate by the EEA.

Should you fall under the first category, you must implement appropriate safeguards in your contracts with your EEA counterparts if there is no better arrangement prior to the exit date. The most convenient approach is standard contractual clauses.

Similarly, if you are a UK-based organisation receiving personal data from countries currently covered by an EU adequacy decision, both your company and the organisation sending you the data must review how to comply with local law requirements on transfers of personal data.

Two other considerations need to be made. If your organisation sends personal data to a business in the US which is certified under the EU/US Privacy Shield, it is important for the US based organisation to update their privacy policy to expressly state that their commitments to comply with the Privacy Shield apply to transfers of personal data from the UK before proceeding with the transfer. The second consideration relates to Binding Corporate Rules. If your business is part of a corporate group covered by Binding Corporate Rules and you send or receive personal data to or from outside the UK, then you will need to update your BCRs to list the UK as a third country outside the EEA.

The above data sharing issues must be dealt with at the earliest convenience and, to do so, it is very important to map out personal data flows and prioritise those data sharing arrangements, which are essential to the business.

However, the above are not the only considerations businesses have to make right now to prepare for a nodeal scenario. The following step is to assess whether you need to appoint a representative in the EEA, and which Supervisory Authorities you will need to deal with. This is a rather complex matter which cannot be fully dealt with in this introductory piece, but the key point is that in most cases, UK companies will no longer be able to use the One-Stop-Shop rule and will have to deal with both the Information Commissioner in the UK and the relevant Supervisory Authority/ies overseas.

Finally, it is highly likely that privacy notices, records of processing activities and Data Protection Impact Assessments might also need updating, alongside ensuring that Data Protection Officers are accessible from each establishment in the EEA and the UK if they cover both jurisdictions.

No doubt the contingency plan preparation will seem daunting to many but it is essential to seek advice to ensure business continuity is safeguarded and activities can run as smoothly as possible after the 29th of March should we be facing a no deal scenario.

 

By Ivana Bartoletti, Head of Privacy and Data Protection and Samuel Plantié, Senior Data Protection Consultant at Gemserv

 

The Brexit Briefing by Data Protection World Forum is a one-day event is aimed to help educate, inspire and offer practical tips and advice to attendees, who will have the opportunity to ask speakers their specific queries about the potential regulatory changes.

The briefing will play host to several thought leaders as well as data protection and privacy experts, including Ivana, who will deliver in-depth, interactive and engaging presentations and panel discussions. To find out who else will be speaking at the Brexit Briefing, visit the website.

 


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.