Data protection after Brexit is a complex and evolving topic that is not good news to UK business. SMBs are likely to be hardest hit with larger companies.
The main problem is that data protection is not dealt with in much detail in the Trade Agreement, although it includes a ‘temporary bridge’ mechanism for the free flow of personal data from the EU/EEA to the UK. We know that the UK government is forming its strategy at present and signalled that data should be treated as an opportunity rather than a threat, which is closer to the American rather than the EU approach. As time passes, it is likely that the UK’s data protection model will change and may diverge from that of the EU. At present several regimes apply:
- UK GDPR regime: this is the UK’s new bespoke version of the GDPR based on the EU GDPR.
- EU GDPR regime: this is the original GDPR which applies to all 27 member states of the European Union and also Norway, Iceland and Liechtenstein
- Adequacy gap or legacy GDPR regime – this will not apply if the UK receives a final EU adequacy decision.
The European Commission has produced a draft decision that says the UK GDPR and the DPA 2018 ensure a level of protection for personal data transferred from the EU/EEA that is essentially equivalent to the one guaranteed by the EU GDPR. The decision needs further approval and politics and risks may delay ratification of this decision.
Sending data abroad:
- Binding corporate rules (BCRs) remain the gold standard
- BCRs are designed to allow multinational companies to transfer personal data from the EEA to their group companies located outside of the EEA (including the UK since 31 December 2020)
- Standard contractual clauses (SCCs) are approved template terms which ensure GDPR standards are met (provided the terms in the SCCs are respected)
The ICO intends to publish new UK SCCs in 2021. It has produced an amended version of the existing EU SCCs to make sense in a UK context. At some point EU SCCs may be invalid for transfers from the UK.
These are currently under consultation and there is a one-year transition period for their use after they are approved. It is likely they will be valid where the EU GDPR applies. It remains to be seen whether the UK will approve them, but they will be invalid for transfers out of the UK under UK GDPR otherwise.
- Other exceptions to the rule (see slides and recording below).
What about Data Protection Officers (DPOs)?
- If you are currently required to have a DPO, that requirement will continue, whether under the UK GDPR, or EU GDPR. You may continue to have a DPO who covers the UK and EEA. The DPO can continue to be located in the UK
- However, the UK and EU GDPRs will both require that your DPO is easily accessible from each establishment in the EEA and UK, and has expert knowledge of both regimes.
What should you be doing now?
- The most important first step is to understand your data flows and locations involved (you need to distinguish UK processing from EU processing. Prioritise flows containing large volumes, special category data or criminal convictions and offences data, business-critical transfers, and those involving key higher risk areas such as the US). MyDocSafe has built a GDPR tool for recording and mapping of such data flows which serves both as an audit and privacy management platform. It is currently available only for new enterprise clients so please contact us to find out more.
- Armed with your understanding of data flows you will then need to decide if to take further steps such as:
- Taking legal advice to update your BCR, SCCs, Privacy Notices and Data Processing Agreements and how to keep track of law changes
- Appoint EU, UK and NIS representatives?
- Define your appropriate lead supervisory authority
- Ensure your DPO will be easily accessible from any UK and EEA establishments and has expertise in all regimes.
We think the current legal regime is not good for UK SMBs which are likely to struggle to comply or may simply ignore the entire subject. Those with UK operations probably believe that by that virtue they should not be too worried as long as they keep the data in the UK. But most of them don’t even know if that is the case. There was little enthusiasm to do the work to find that out when GDPR was first introduced. We compiled some anecdotal evidence that suggests few have gone through the data mapping exercise, and very few used proper software tools to do that. That is part of the reason why our own GDPR Dashboard tool which was built specifically for that purpose, and we gave away for free at the time, will no longer be available new SMB clients.