What steps should UK businesses take to ensure compliance with data protection regulations post-Brexit?
The UK’s as-yet unresolved terms by which it will leave the European Union (EU) have sent the legal community into something of a spin as the ramifications work their way through the system. This is particularly the case with regards to the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA), not least given their scope and the volume of time, effort and money businesses have very recently expended to attain compliance with the regulations.
The GDPR is an EU regulation that controls the use of personal data in the EEA and is relevant to most businesses and organisations. Its aim is to harmonise data protection laws across the EU and transform the way personal data is collected, shared and used. When the UK exits the EU, the GDPR will no longer have direct effect in the UK, but it will continue to be incorporated into UK law by virtue of the EU (Withdrawal) Act 2018.
The UK government has also aligned its domestic law with the GDPR through the enactment of the DPA. The aim of the DPA is to apply GDPR standards in the UK context, provide additional UK-specific rules on data processing, provide a bespoke regime for law enforcement and national security data processing, and help prepare the UK for Brexit. It updates the rights provided for in the Data Protection Act 1998 to make them easier to exercise and to ensure that they continue to be relevant with the advent of more advanced data processing methods. The DPA will continue to have effect after the UK leaves the EU.
Brexit before an adequacy decision
Under the GDPR, there is a general prohibition on the transfer of personal data out of the EU, with certain exceptions. One of those exceptions is for a country to subject its own rules and regulations governing the handling of personal data to a so-called ‘adequacy decision’ by the European Commission. This is effectively the Commission’s verdict that the systems in place are substantively similar enough to afford adequate protection to allow for the transfer of EU personal data to that country.
After the UK leaves the EU, it is likely to be the case that an adequacy decision will be required in order to go on receiving transfers of personal data from the EU. There is a high probability that the UK could leave the EU before an adequacy decision has been reached by the Commission, but there is no real reason for businesses to fall into a blind panic regarding their data protection responsibilities as a result.
There is no doubt that a highly prudent option for all businesses would be to put some kind of Brexit clause into their standard contracts, but typically, not need to say much more than: “In the event of the terms of the agreement becoming unworkable or more difficult as a result of Brexit, the parties will renegotiate those terms that are affected, including, where necessary, their data protection clauses.”
For businesses that transfer significant quantities of personal data from the EU to the UK or in reliance on shared frameworks, there will be a need to take some steps to ensure that the lack of an adequacy decision does not unduly affect them.
A couple of factors to consider
Governance and compliance arrangements with respect to the designation of a data protection officer might need to be reconsidered. In the absence of a Brexit deal, companies may have to make alternative arrangements with regards to their EU main establishment if they are relying upon operating under the GDPR ‘one-stop shop’ (the notion that you can rely on a single office in the UK being able to handle all customer data within the EU).
UK businesses transferring personal data to the US (or vice versa for US businesses) should also be aware that in the event that there is no transition period agreed between the UK and the EU, companies relying on Privacy Shield must take immediate steps to make a public commitment to complying with the Privacy Shield stating that it will include the UK and in any event they must do so before the end of any agreed transition period.
Despite the political turmoil in Westminster, the facts on the ground in relation to businesses’ personal data-handling responsibilities will not change substantively in a post-Brexit world, no matter what the final status is. A small number of prudent steps to align businesses’ data protection strategies to ensure it can cope with any of the eventual outcomes will, however, go a long way toward averting any panic.
Duncan Burrell is a trainee solicitor at Accutrainee