At the end of the Brexit transition period on 31 December 2020, the General Data Protection Regulation (GDPR) will no longer apply to the United Kingdom, whose status will effectively change from a European Union member state to a third country.
An adequacy decision if granted by the European Commission, will allow the free flow of personal data to continue from the EU to a third country, such as the UK, without requiring further safeguards, on the basis that the third country is viewed as having an equivalent level of data protection to the EU. However, in the event of a no-deal scenario and with no adequacy decision likely in the short to medium-term, if at all, this carries a number of implications affecting the continued free flow of personal data across EU-UK borders, including data exchanges between Ireland and the UK.
| Key data risks and challenges
Currently, the GDPR, aimed at harmonising data protection law across the EU, and UK Data Protection Act, the UK’s implementation of the GDPR, remain similar. However, there may be divergence of these in the future, driven for example by developments such as the Schrems II ruling concerning cross-border data transfers, which may in turn further affect an adequacy decision.
Organisations based in the EU/EEA who perform electronic (e.g. email, FTP/SFTP etc.) or manual (post, courier etc.) transfers of personal data to recipients based outside of the EU/EEA, such as those based in the UK, should understand the key data risks and challenges likely to be faced post the Brexit transition period, and implement plans and measures to limit the impact.
| What next? Here are nine next steps
- Understand impacted data processing operations e.g. collection, transmission, storage, erasure, etc. as defined in GDPR Article 4 for example HR, IT, payroll functions based in the UK. Many organisations have already begun identifying their impacted business processes and systems and this work can be leveraged to identify impacted data flows and data processing operations.
- Understand the extent to which data processors, or third-party service providers are based in the UK. The Irish Data Protection Commission (IDPC) calls out a few examples of these i.e. software, occupational health, pension scheme, website analytics and marketing providers. In addition, understand whether personal data resides in UK-based cloud environments.
- Map EU to UK data flows and processing operations and update Records of Processing Activities (RoPA) to ensure the UK is reflected as a third country.
- Monitor developments and review compliance obligations and requirements under the EU NIS Directive and UK NIS Regulations for cybersecurity to ensure the relevant registrations and breach notifications are performed.
- Determine whether to appoint a representative in the UK and notify the UK Information Commissioners Office (ICO) of the representative, where required by the UK Data Protection Act, similar to GDPR Article 27. For example, an organisation established in the EU only, who sells goods and services to and/or monitors UK data subjects, will require a UK representative.
- Determine whether to assign another lead supervisory authority, if the UK ICO previously fulfilled this role, for the organisation if it operates across the EU and UK.
- Update the external and internal privacy policies to reflect EU and UK representatives in the respective regions.
- Review all relevant policy and procedure documentation as appropriate to reflect the separation between EU law and UK law. These may need to be updated iteratively in the near term as rules get defined and embedded.
- Review and implement appropriate data transfer mechanisms between the EU and UK based on advice from an organisation’s internal or external legal counsel, where relevant. For example, standard contractual clauses (SCCs) and any current EEA-approved binding corporate rules for used transfers in and out of the UK should take account of the UK’s third country status. Public authorities or bodies should consider the use of mechanisms such as administrative agreements, bilateral or multilateral international agreements or Memoranda of Understanding to legitimise such transfers.