Published on Tuesday, October 1, 2019 - 09:26 by Peter Galdies
The 31 of October is looming, and a no-deal Brexit is starting to look like a very real possibility. Many industries will be affected overnight if this takes place, and there are now serious concerns around how UK organisations will be able to share data with their EU partners.
Under EU law, should a no-deal Brexit take place the UK will become a “third country” not bound by the GDPR’s legislation, and able to deviate from the existing strong standards if parliament decides on that course of action.
Consequently, data from EU countries would not be able to flow freely to the UK, which could end up with disastrous and unpredictable consequences. Whilst the UK had hoped that the EU would grant it a special status which would recognise the UK’s data protection regime as equal to the EU’s, the EU has instead committed to assessing the UK for “adequacy”.
This means the UK will need to undergo a period of continuous assessment before getting the green light for data transfers to go ahead unimpeded.
In the past, the process of granting adequacy has taken between 18 months and five years.
This article explains the repercussions that a no-deal Brexit will have on data transfers, along with guidance on the steps organisations should consider taking now to prepare.
What will happen in the event of a no-deal Brexit
Should the UK leave the EU without a deal, there will be no transition period before it becomes a ‘third country’.
This will have several major ramifications.
Under the GDPR, organisations in third countries can only process EU residents’ personal data if:
The adequacy decision procedure cannot begin until exit day. If there is a no-deal and no transition period, UK organisations that process EU residents’ personal data must ensure SCCs or BCRs are in place before then so their data processing activities remain lawful under the GDPR.
These are formal contracts between organisations that share personal data (including partners and suppliers), which supply the framework on how the data will be protected.
The EU Privacy Shield Agreement
Whilst UK government has stated that “UK organisations will continue to be able to legally send personal data from the UK to the EEA and 13 countries deemed adequate by the EU” (including to US members in the EU-US Privacy Shield), it’s pretty much impossible to gauge how long this will be the case, particularly as the UK will have no further say on how the Privacy Shield will be imposed or revised, as it’s an EU agreement.
Consequently, a specific consent SCCs or BCRs are the only real course of action for UK data controllers that require certainty over utilising US data processors, either directly or via suppliers and partners.
GDPR and DPA 2018 compliance will still be mandatory.
Just like all other organisations that are based in a third country and supply services to the EU, UK organisations will also need a representative in the EU, under Article 27 of the GDPR.
In the event of no-deal Brexit, the government has specified that it plans to duplicate the Article 27 provision to necessitate controllers based outside of the UK to employ a representative in the UK.
Should the UK exit the EU without a transition period, a controller or processor located outside the UK (but bound by UK data protection laws by virtue of their extra-territorial impact) may be required to appoint a UK representative.
Your EU representative can be any legal person who’s based in an EU member state within which you collect personal data.
If your organisation collects information from the entirety of the EU, you can appoint a representative from any EU member state. However, if you only collect personal data from data subjects in Germany, for example, your EU representative must be based in Germany.
If you have several different countries to choose from, it’s best to select either the one where you collect the most information, or conduct the most extensive monitoring.
Cyber-criminals relish periods of commotion, and the time building up to Brexit and beyond will encompass significant distraction.
Organisations should expect to see Brexit-themed phishing scams, in addition to other types of cyber-attack that will try to take advantage of an organisation’s uncertain security position.
We advise organisations to act now and ensure:
With Brexit uncertainty lingering, we’re aware that organisations are hesitant to make data protection decisions when no one is sure if and when the UK will leave the EU, and which new requirements will kick in.
At DQM GRC, we provide practical solutions for organisations that either don’t have the necessary specialist expertise to fulfil their data protection obligations, or those that are just looking for extra privacy and compliance support on a provisional or project-based basis.
Our expert consultants can provide additional support to help you answer queries, comply with the law, review your policies in line with the regulations and deal with data protection incidents.
To find out more about how we can help your organisation, call us now on 01494 442900 or complete our enquiry form:
If you are interested in any of our services then please either use the contact form or contact us via of the methods below: