Whether or not the United Kingdom (UK) and the European Union (EU) can agree on an exit deal, the UK will be leaving the EU come March 30, 2019. Although the UK plans to incorporate the General Data Protection Regulation (GDPR) into national law there will still be some data privacy issues that arise as the UK leaves the EU. The UK government is still working on an agreement with the EU to establish a transitional period, which would make things easier for companies doing business in both the EU and the UK. However, deal or no deal companies should prepare now to comply with the GDPR viewing the UK as a third country.
Brexit means different things to different companies. Those located in the UK who do business exclusively in the UK and do not transfer any data outside of the UK have little change coming. However, all other companies must take a look at their data flows to determine where the UK being a third country, according to the GDPR, could affect how data is processed. The main focus should be on data flowing to and from the EU but the EU/US Privacy Shield no longer applies to the UK after Brexit occurs, so transfers to the US must also be taken into consideration.
The transferring of data from the UK to countries within the EEA or those countries which have adequacy decisions issued by the EU, as of March 30, 2019, will not be an issue, at least for a transitionary period. The UK government has stated that transfers to the EEA will not be restricted and there will be transitional provisions to recognize adequacy decisions[1]. However, US companies currently participating in the EU/US Privacy Shield must update their public commitment to comply with the Privacy Shield to expressly state that those commitments apply to transfers of personal data from the UK, in order for UK companies to continue to legally transfer data to the US.
The biggest changes in data processing for companies in the UK will be the receipt of data from countries within the EEA. After Brexit these countries are no longer able to freely transfer data to the UK without an adequate level of protection according to Art. 44 GDPR. There are multiple options to establish this level of protection, however, some may be easier and more cost effective than others.
The European Data Protection Board (EDPB) has stated that an adequacy decision can first be made once the UK has left the EU and there are many who believe that the UK may have a hard time obtaining such a decision. This means that other safeguards must be in place to assure protection of personal data. The easiest option will likely be adding standard contractual clauses to any data processing agreements that are in place between a company in the UK and a company in the EEA.
Moving forward the initial steps a company should take to assure the continued legal transferring of personal data between the UK and the EEA are:
- Review all data flows to determine where transfers between the UK and the EEA are taking place.
- Update all agreements to contain adequate safeguards for international data transfers in accordance with Art. 44 GDPR.
- Update all privacy policies to inform data subjects regarding the transfer of data to third countries as required in Art. 13 para. 1 lit. f GDPR.
- Update internal documentation of processing activities to include information regarding the transfer of data to a third country.
The ICO and the data protection authorities of many other countries[2] have provided more in-depth information regarding what should be done moving forward to prepare for processing data after March 30, 2019.
[1] https://ico.org.uk/media/2553958/leaving-the-eu-six-steps-to-take.pdf
[2] CNIL in France, Netherlands, GRA in Gibraltar, DPI in Estonia, DPC in Ireland, ODPA in Guernsey and The Isle of Man