What should you do about Personal Data Transfers – 'Deal' or 'No Deal' Brexit?
Businesses that transfer personal data between the European Union (EU) and the UK are faced with multiple scenarios post end of October 2019, the deadline when the UK should be leaving the EU.
In a perfect world, the UK and the EU would have an agreement acceptable to all parties involved meaning having a 'deal' in place and the UK departing on the set date. This would give businesses a two-year transition period within which GDPR rules continue to apply and personal data transfers can continue to take place. During this time, the intention would be that the UK submits its case for an adequacy decision from the EU Commission. A positive adequacy decision would allow transfers of personal data to the UK to continue without businesses having to implement additional measures. This scenario has the least immediate impact on businesses because during the transition period and following an adequacy decision effectively nothing changes in data protection terms.
However, the reality is that Brexit might happen without a deal being agreed and no one is predicting anything right now. If the UK crashes out of the EU in a 'no deal' Brexit then the UK immediately becomes what is known as a 'third country' meaning a country not having adequate data protection controls in place. Businesses that wish to continue to transfer personal data from the EU to the UK would need to rely on one of the compliance mechanisms set out in GDPR. These mechanisms include:
Transfer personal data to a third country with the consent of the individuals
Have in place EU Commission approved Model Contract Clauses
For intra-group transfers, mainly large corporates, could take advantage of Binding Corporate Rules – it is a set process and could take up to 3 years to be fully implemented
Let's look at how companies with personal data would cope with a no deal situation. There are businesses in the UK that:
serve the UK only customers/employees but their data is processed in the EU by a data processor i.e. working on behalf of the UK company
serve the UK and the EU customers/employees and their data is processed in both locations
In the first case, companies can continue to transfer the UK personal data to the EU. The UK has decided that the EU data protection laws provide an adequate environment for the UK personal data so in effect nothing changes in this case. The UK businesses can rely on the existing contracts they have with the EU personal data processors and data relating to the UK individuals can be transferred (securely!) back and forth with another EU country. This scenario should not introduce any additional obligations.
In the second case, the situation is much more complex. The UK company is now situated in a third country meaning it is processing personal data of the EU individuals, so the compliance mechanisms explained above need to be considered. In addition, the UK company, if offering products and services without an establishment in the EU must appoint a Representative – see our next blog on what needs to be done to appoint an EU Representative.
TAKE ACTION NOW! Review your business model, see which compliance mechanism works best for you and be prepared so there are no surprises whether it is a deal or a no deal Brexit.
If you are relying on Consent here is how ConsentEye can support you…
When the business model has been reviewed take advantage of our expert Privacy and Data Consultants to sanity check the optimum compliance mechanism for you, at no cost.
Also, if your organisation is struggling to identify which individuals gave consent in the EU or the UK, how they gave it and when it was given, ConsentEye will help by saving months of time and effort.
This award-winning cloud application is used by organisations all over the world and enables them to build trust and transparency with individuals along with providing a system that enables them to withdraw consent as freely as it was given, a legal requirement as stated in the GDPR.