With the transition period reaching an end soon and Brexit being a fact on the first of January 2021, organisations should prepare for the consequences this will entail, in particular with regard to the protection of personal data.
The UK will incorporate the GDPR into its domestic law (UK GDPR). As such UK organisations will still be bound by the same principles and obligations as they were under the EU GDPR, although the EU GDPR will no longer be directly applicable. In practice, in some cases, this will also lead to both the provisions of the EU and UK GDPR being applicable and needing to be respected. E.g. when a company established in Belgium also offers services to UK customers, thereby processing their personal data, both legislations will need to be taken into account.
Now what are the last-minute actions to be taken in order to prepare for Brexit, by both EU and UK established organisations?
- Evaluate which regime(s) will be applicable to you
As there will be an EU and UK version of the GDPR, you will need to evaluate whether or not you will be subject to both regimes and how to ensure compliance with and follow up on both.
For organisations established in the EU, the EU GDPR will be applicable. By analogy, the UK GDPR will be applicable if you are established in the UK. However, both legislations also have an extraterritorial reach, being applicable as well for organisations not established respectively in the in the UK or EU but offering goods or services or monitoring the behaviour of data subjects in respectively the UK or EU.
The applicability of both regimes will amongst others entail that the competent EU Supervisory Authority as well as the ICO (UK Supervisory Authority) will be competent and able to act upon any infringement of the relevant legislation. E.g. in case of a data breach involving both EU and UK data subjects’ data, a notification shall be made to both authorities. Moreover both authorities will have the possibility to impose fines. If no deal with the UK is being reached this would mean that fines might go up to 40 million euros or 8% of the worldwide annual turnover.
- Transfers of personal data
The UK will no longer be part of the EU and will thus need to be considered a ‘third country’. By consequence the necessary measures need to be implemented to ensure a valid transfer of personal data after Brexit.
To this end, the following concrete actions are recommended:
- First of all, makes sure you have an overview of those processing activities where personal data is being sent to the UK.
- Secondly, evaluate whether those transfers are really necessary and whether there are any reasonable EU alternatives.
- Perform a data minimization exercise to ensure that only the personal data that is necessary in context of the envisioned purpose is being transferred to the UK.
- Make sure to consider also any onward transfers of personal data by suppliers or partners.g. if the supplier is established within the EU, but makes use of a subcontractor established in the UK).
For those processing activities entailing a transfer of personal data to the UK, define which of the valid transfer mechanisms under the GDPR will be the most appropriate for the specific situation to guarantee a continued compliant flow of personal data.
In this regard, please keep in mind the following:
- An adequacy decision for the UK would be the most ideal situation, however, it is highly unlikely that the European Commission will grant an adequacy decision still before the end of this year.
- Other transfer mechanisms to consider would therefore be either Standard Contractual Clauses, Ad Hoc Clauses, Binding Corporate Rules or a Code of Conduct/Certification mechanism. Though not all of them will be realizable before the transition period comes to an end, e.g. due to the approval process.
- Take into account also the recent recommendations of the EDPB with regard to the possible supplementary measures for international data transfers. Moreover, a draft new set of standard contractual clauses has been issued by the European Commission. Most probably to be approved by the beginning of 2021.
- If none of the aforementioned is an option, there can be a possibility to rely on one of the derogations under article 49. However, to be applied restrictively.
The other way around, as a UK established organisation, it is equally important to have a good overview of any data flows from within the EU and work with EU customers or partners to ensure the implementation of an appropriate transfer mechanism.
- Update privacy notice & consent language
Data subjects need to be informed about their personal data being sent outside of the EU and the transfer mechanism that has been put in place.
This entails the following actions:
- In case you transfer personal data to the UK a change of the privacy notice will be required to inform the data subjects of this international data transfer and the measures you implement to ensure adequate protection of their personal data.
- A change of your consent language might be required if consent is currently relied on to process the personal data, since it probably did not anticipate the UK becoming a third country. As an update of the privacy notice needs to be communicated to the data subjects do note that this will include a risk of withdrawal of consent.
- Location of Lead Supervisory Authority
Post Brexit the ICO will no longer be a Lead Supervisory Authority under the EU GDPR. Especially for UK established organisations this will mean that the ‘establishment’ criterion can no longer be used to determine the location of the Lead Supervisory Authority. This because the ‘main establishment’ will most likely be the place of central administration (which will be the UK for UK located organisations). This principle will however be overruled where the decision making powers in relation to the data processing are located in another country.
This entails the following actions:
- For organisations carrying out cross-border data processing (active in multiple countries within the EEA), previously considering the ICO to be their Lead Supervisory Authority, it will be relevant to carry out an evaluation of the activities within the EEA and establish whether they have any ‘main establishment’ within the EEA, for GDPR purposes this will thus be the one which has decision making powers in relation to the data processing, once the UK is no longer part of the EU.
- If there is no such establishment, e.g. where the decision making powers are in the UK, there will be no main establishment within the EEA and no advantage can be taken of the one stop shop mechanism. In that case there will be no Lead Supervisory Authority and a representative shall be appointed. Moreover the Supervisory Authorities in each EEA Member State in which the processing operations take place or the relevant data subjects are located will be competent to act.
- Need for a representative
When established outside of the UK but processing personal data of UK residents, as from the 1st of January it will be required to appoint a UK located representative acting as the first point of contact with regard to any matter relating to compliance with the UK GDPR. The same goes for UK organisations without an establishment in the EU.
- Evaluation of DPO function
Organisations that currently have a DPO should consider whether this DPO is still sufficiently accessible to all of their establishments and data subjects in the EU and UK. Taking into account aspects such as the language capabilities of the DPO. E.g. a DPO based in France, only speaking French, cannot be considered ‘sufficiently accessible’ for data subjects in the UK who only speak English.
Moreover, it is advisable to have the DPO located where the data subjects are (EU/UK). This may mean a change of location of the DPO, which might require a change in personnel or additional personnel if the organisation wants or needs to have a DPO in the EU as well as the UK.
- Consider relocation to EEA ?
It is clear that a lot of issues can and should be tackled by EEA and UK companies before 1 January 2021.
At CRANUM we offer various solutions that can help you with this. We can for example help you review your privacy statements or give you advice on international data transfers.
Apart from this we also offer some standard solutions that may be relevant in this context.
- Our first step would in most cases be to perform a scan, in this case a Brexit scan. In our Brexit scan we assess your compliance with in dept questions in order to identify weak spots and priorities and it also helps you demonstrate your accountability.
- Secondly, CRANIUM offers both EU and UK representative services in accordance with the requirements of the GDPR and the UK GDPR. If you are not sure whether you are legally obliged to appoint a representative, we can definitly help you make this assessment.
- At CRANIUM we can also perform an audit to check whether your suppliers and processors comply with the GDPR and for example the requirements for international data transfers.
- Finally, CRANIUM, in collaboration with Deltablue, can assist you with this shift from UK to EEA alternatives or move the servers from UK processors to the EEA while you would barely notice it: see video.
Contact us for more information: firstname.lastname@example.org.