With the withdrawal from the European Union looming, many organisations are putting safeguards in place to ensure continuity of business. Previously, there has been stockpiling of resources, the movement of production facilities, and even relocation of organisation headquarters. For those organisations that still intend to do business with any EU citizens, regardless of where their business is physically located, there is the ever present question of data protection. The GDPR will still be in effect and all EU citizen data must be afforded the correct protections. Alongside this, the UK is committed to maintaining an equivalent to the GDPR (a UK GDPR) which will come into effect on ‘exit-day’ as part of the European Union (Withdrawal) Act 2018, mirroring the EU GDPR at that point. Whilst this may seem cut and dry, there are two ways which this can go from here depending on whether the UK leaves the EU with a deal or without one.
Scenario 1 (Deal)
By leaving with a deal, the UK will enter into an agreed upon transition period whereby it will continue to apply the GDPR with no major law changes occurring on ‘exit-day’. This means that organisations can continue as they have been, processing the data of EU citizens provided there is a lawful basis for doing so without having to jump through any extra hoops, as any EU member state would. During this period, the EU will commit to performing an adequacy assessment on the UK with the aim of completing it before the transitional period ends. A favourable decision from an adequacy assessment would prevent the UK from being labelled as a ‘third country’ under the GDPR and subject to the restrictions that come with it, meaning that it could then continue to process EU personal data without any special measures needing to be put in place.
Scenario 2 (No-Deal)
If, however, the UK leaves the EU without a deal, certain issues present themselves. The most notable is that without a withdrawal agreement in place, there is no set transition period or agreed upon process for doing so. What that means from a data protection perspective is that the UK would, from ‘exit-day’, be treated as a ‘third country’. The GDPR does not allow for the processing of EU citizen personal data outside of the European Economic Area (EEA) by ‘third countries’ without certain controls being in place, ‘Privacy Shield’ in the US being an example of this. Whilst the UK Government does not intend to impose any restrictions on transfers of personal data flowing from the UK to the EEA, the same cannot be said for the reverse.
Lacking existing agreements such as Privacy Shield, the UK will have to apply for an adequacy assessment to ensure that its laws on data protection meet the high standards of the GDPR. The fastest assessment so far has been for Argentina at 18 months. Whilst, on the face of it, it could be assumed that by adopting the GDPR into national law that the UK would be fast-tracked through this process, there have previously been some points of contention over UK surveillance laws. Though it is unlikely that this would prevent the recognition of adequacy in the UK, concerns are likely to be raised by EU members over this as adequacy largely depends on the protection of fundamental rights being equivalent to those in the EU.
During this potentially disruptive period, ensuring business continuity will be a primary concern. The Information Commissioner’s Office (ICO) has recommended a few courses of action for those organisations that regularly process EU citizen’s personal data. Standard contractual clauses (SCCs) are a standard set of safeguarding terms and conditions that both the sender and receiver of data adhere to in order to protect personal data coming from the EEA. These can be found on the ICO’s website in a link at the end of this article.
It may also be necessary for your organisation to appoint a representative within the EEA to act on your behalf regarding EU GDPR compliance. This is only the case if your organisation has no branch, office, or establishment in any EU or EEA state and is either offering goods or services to individuals in the EEA or is monitoring the behaviour of individuals in the EEA. The details of your representative should be given to the individuals from the EEA whose data you are processing and this can be done in your privacy notice. More information about European representatives and the requirements for their appointment can be found on the ICO’s website in a link at the end of this article.
Ultimately, data will still be able to flow both ways between the EU and the UK, provided certain conditions are met. There’s no requirement to batten down the hatches just yet and every opportunity to ensure business can continue as usual. The key part for mitigating any issues that may arise as a result of a no-deal scenario is preparedness; following the ICO guidance and putting the correct measures in place ahead of time to ensure compliance. The tools are there to be used, but it is down to the organisation to make sure they are properly implemented.