Brexit & Personal Data Transfers, risk management starts today.
I wrote last week, about the United Kingdom government wishing to leave the European Union & EEA (EU) with an arrangement that means the UK is deemed to have adequate data privacy safeguards in place that allow seamless EU cross border transfer.
I am happy to spell out in 2 blog postings the challenges and risks that UK & EU organisations face should Britain leave the EU and more worrying not been deemed as adequate.
An adequacy arrangement means that data can be transferred to Countries outside the EU & EEA without additional safeguards as laid down by article 46 of the GDPR. This currently works well in the case of 14 Countries who number include, Jersey, Isle of Man, Israel, New Zealand and the Faroe Islands.
The UK has recently introduced a Data Protection 2018 Act, which as a main plank of the legislations provides Data Protection safeguards such as the GDPR within it. So in essence done everything possible to go to the table with a strong set of laws.
However the EU have said that under current arrangements:
Personal data – Brexit preparedness:
Currently, personal data can flow freely between the Member States of the EU, when the GDPR (General Data Protection Regulation 2016/679) is respected. Once EU law ceases to apply to the United Kingdom, the transfer of personal data from the EU to the United Kingdom will still be possible, but it will be subject to specific conditions set in EU law.
Companies and Member States' authorities that are currently transmitting personal data to the United Kingdom should therefore be aware that this will become a "transfer" of personal data to a third country, and explore if it could be permitted under relevant provisions of EU legislation.
If the United Kingdom's level of personal data protection is essentially equivalent to that of the EU, the Commission would adopt an adequacy decision which allows for transfer of personal data to the United Kingdom without restrictions. However, this decision could only be taken once the United Kingdom becomes a third country.
Companies should therefore assess whether, in the absence of an adequacy decision, measures are necessary to ensure that these transfers remain possible. The Member States Data Protection Authorities should assist companies in this endeavour.
What the EU have not said that this also will apply to EU – U.K flows as well, so if you are Paris processing data in London start preparing.
The U.K have agreed a transition deal, subject to a deal being struck, which means that EU laws and trading arrangements will still be applicable up until 31.12.2020, so if the UK is deemed to be an adequate country then happy days, if not the work has only just begun.
So what happens if the UK is deemed an adequate country, is seen outside the GDPR/EU club for data protection law and UK based companies want to send data into the EU and vice versa?
In essence the UK will have the same status as 14 Countries soon to be 15 as Japan has been ratified in recent days. A 2- way transfer in and out of the EU requires additional safeguards and a lot of work, mainly for lawyers to ensure that we can trade data across these borders. Some already have these safeguards in place, however unlikely for most, as the UK is currently in the EU and there was no requirement to put these safeguards in place on the 25th May 2018.
Be warned in the EU paper there is a clear and present danger of the adequacy decision being made post BREXIT, that maybe a negotiating stance, but you would be foolish not to identify a period of transition from the UK status from member to, non member to adequate status as quite a risk.
There are 2 main requirements under GDPR that UK/EU organisations will have to undertake to ensure they can continue to trade.
These being the putting in place additional safeguards subject to article 46 such as Binding Corporate Rules(Which take ages and there is a waiting list), New Contracts, New consent regimes or the development of an industry wide scheme or certification, if the latter is completed in time.
In addition UK companies will have to appoint a representative within the EU to act on behalf of UK companies under article 27.
Therefore you should be identifying the potential risk of the UK leaving the EU and taking action now.
I shall cover the safeguards you need to put in place and the role of the EU representative in next week’s paper, however for now I trust you are already planning your next steps.
We at DPAS have both a UK & EU base and happy to support the preparing for transition that will be required to be able to transfer data across EU borders post BREXIT.
Nigel Gooding, Founder, Data Privacy Advisory Service