I wish I could have thought of a more interesting title, but as this stuff is important I thought I best not.
In part 1 of the series I wrote that it is likely, but not certain that the UK will deemed an adequate Country post in which to process personal data, post the leaving the European Union. (BREXIT) The challenge for many is the with UK outside the EU there is work to be done some things even though the day before BREXIT they were not required.
I will use the made-up example of Company A whose HQ is in the UK and is part of a group of 14 companies based within the EU.
Company A has registered with the UK based ICO as the lead supervisory authority should there be cross EU border data protection issues, has no formal arrangements in place between each EU based company as they are all moving towards GDPR compliance and have no requirement for appointing a representative in the EU as everyone is the EU.
When the UK leaves, the EU Company A will:
(1) be in scope for GDPR as it processes data of people within the EU – Article 3
(2) no longer meet the requirement for registering as the lead supervisory authority as it is outside the EU – Article 56
(3) require a representative within the EU – Article 27
(4) if the UK’s adequacy status (article 45) is not agreed put in place extra safeguards, which will be onerous, time consuming and costly – Article 46
Let us look at some of those extra safeguards required should the UK not be part of the 14, soon to be 15, “adequacy” members club and controllers wish to continue regular processing with those countries within the EU. ·
Standard data protection clauses for EU/UK UK/EU transfers:the EU has adopted three sets of model clauses which each company will have to adopt, adapt and introduce post BREXIT. The downside being that for each change in processing activity a review and update maybe required.·
Binding corporate rules(BCR): legally binding data protection rules approved by the competent data protection authority which apply within a corporate group: The challenge with BCR is that they are time consuming and should be agreed by a local supervisory authority and the UK Supervisory Authority is saying a simple BCR can take 12 months! A number of organisations already have them in place with the UK ICO.
Approved Codes of Conduct together with binding and enforceable commitments of the controller or processor in the third country;These are industry led schemes which as part of an industry or association scheme, as in BCR there is a “time lag” need approval of an EU supervisory authority and I have not seen the development of any new schemes. ·
Approved certification mechanisms together with binding and enforceable commitments of the controller or processor in the third country. If in place this would be far the easiest scheme, a processor is “certified” meets the accreditation criteria to operate within safeguards and is able to process data in and out of the EU. The challenge is that the schemes as defined in article 42 have yet to be developed and will take some time to work up and allow processors to “tool up” in time. By the way this certification is like the way “goods” are allowed into the EU who meet the quality standards laid down in the certification scheme.·
Controllers can transfer outside the EU in a few other ways subject to local derogations such as consent, contract and legal requirement between public authorities.
The requirement of the UK to be deemed an adequate country is both the wish of the UK and the EU, so with a fair wind and good will EU and UK organisations will not need to put in place additional the safeguards required under article 46.
However what UK HQ based organisations will need to do is review who their representative within the EU will be post Brexit and who their lead supervisory authority will be within the EU.Nigel Gooding www.DataPrivacyAdvisory.com With offices based in the UK & EU we are best placed to support this decision making.