A ‘no deal’ Brexit will impact on the flow of information to and from UK
Companies need to consider alternatives to ensure compliance with GDPR
A ‘no deal’ Brexit will impact on the flow of information to and from UK and companies need to consider alternatives to ensure compliance with GDPR
The free flow of personal data within the EEA, governed by GDPR brings the necessary freedom to organisations to drive all aspects of their business operations. However, a ‘no deal’ Brexit will impact on this flow of information and add additional workload and pressures to companies who share information between the jurisdictions, according to Deloitte.
Colm McDonnell, Partner, Risk Advisory, at Deloitte said:
Many companies have spent months, and in some cases years, preparing for the introduction of GDPR in May last year and they have invested heavily in terms of resources to work towards compliance since then. The impact of a no deal Brexit will mean that those organisations may now face additional challenges to ensure compliance post Brexit.
Every organisation that processes personal data, transfers such data, or has a group entity in the UK will need to put in place measures to ensure compliance. The ICO in the UK have stated that the UK Government intends to enable data flow from the UK to the EEA without any additional measures but transfers from the EEA to the UK will be impacted. Many EEA based multinational/large organisations that process personal data have some form of processing agreement with UK vendors or transfer personal data between group entities. From a sectoral point of view banking and insurance companies that have data processors or group entities based in the UK will have to take measures.
Data protection options available for the EU-UK relationship:
Adequacy Decision: The European Commission (EC) has the power to determine whether a country outside the EEA offers an adequate level of data protection, either through its domestic legislation or international commitments it has entered into. A country outside the EEA has to secure an adequacy decision and can be a lengthy process. If the UK does not receive this adequacy status, it will be deemed a ‘third country’ from 29 March 2019. This means that any flow of personal data will have to be under an alternative transfer mechanism such as Binding Corporate Rules or Model Contract Clauses.
Binding Corporate Rules: BCRs are internal rules for data transfers within multinational companies. They allow multinational companies to transfer personal data internationally within the same corporate group to countries that do not provide an adequate level of protection. There is a lengthy approval process involved in establishing BCRs including a review of the BCRs by relevant Data Protection Authorities (DPA). A straightforward BCR application can take 12 months to complete. This leads to a period of time where alternative arrangements must be considered.
Model Contract Clauses: The European Commission can decide that standard contractual clauses offer sufficient safeguards for personal data to be transferred internationally. It has issued standard contractual clauses for the following circumstances: EU controller to non EU or EEA controller and EU controller to non EU or EEA processor. Organisations have just gone through a lengthy process of contract changes and amendments required by GDPR. With the UK leaving the EU as an outcome of Brexit, further review and amendment of any data processing/transfer agreements between the EEA and UK will be required. This poses not only an administrative burden but has financial implications also.
With many organisations still slowly working towards achieving full demonstrable compliance with GDPR, a ‘no deal’ Brexit poses additional challenges. However, a well-prepared action plan aligned with on-going initiatives can help to ensure a smooth transition and continuation of a free flow of personal data between the EEA and the UK,
according to Mr McDonnell.
Key steps to take
- Maintaining up-to-date records of processing is core to compliance with the GDPR. Use records of processing to form a complete list of all data flows to and from the UK
- Fully identified data flows should allow organisations to quickly scope out and plan for the majority of the work that will be required in terms of subsequent contract and data protection notice updates/amendments
- Review all data protection notices and amend where necessary. Consider notices that have a blanket statement such as ‘No personal data will be transferred out of the EU/EEA’ as well as any derogations that may apply under Article 49 of the GDPR
- Formulate communication plan for updated DPN’s and any associated costs (e.g. call centre scripts for queries, sending hard copy DPN’s, data subject requests as a result of the changes (erasure, access etc.)
- Update due diligence procedures to allow for data processors situated in the UK
- Review and update all existing data processing contracts to ensure appropriate clauses are in place e.g. Model Contract Clauses
- Consider the use of Binding Corporate Rules to continue to transfer personal data to group entities based in the UK
- Assess what transfer mechanisms are currently in place to protect personal data and any additional security measures necessary
- Consider any planned initiatives to identify UK dependencies from both a system and contract perspective
- Consider updates required to Data Protection Impact Assessments and Privacy by Design controls