Brexit brings new rules for international data transfers

While Britain was part of the EU, and during the transition period, data could move freely between the UK and the EU on the basis of the shared legal framework under GDPR. The ICO could also coordinate supervision with the other data protection supervisors across Europe.

After Brexit, things are likely to change. Unless the UK gets an ‘Adequacy decision’ from the EU before 31 December, organisations will need to update contracts governing data transfers between the UK and EU – including data sharing agreements with other parts of their own groups of companies.

You may also need to appoint local representatives in the EU and/or UK and identify a new lead supervisory authority.

Discover more about our Brexit Readiness Assessment below

What does a Brexit readiness assessment cover?

Our Brexit readiness assessment covers the three key actions, and around 150 supporting smaller tasks, required to keep your data flowing after Brexit. We will help you make sure you have completed all the work you need to do to comply with the law and protect your processes.

Our assessment is based on our GDPR Gap Analysis and covers the same 9 areas:

Governance

The extent to which data protection accountability, responsibility, policies and procedures, performance measurement controls, and reporting mechanisms to monitor compliance are in place and operating throughout your organisation.

Risk management

Your organisation’s arrangements for privacy risk management, the extent to which information-specific risks are incorporated into corporate risk management, and the extent to which risks to the rights and freedoms of data subjects are addressed.

Privacy by design

The extent to which data protection by design has been incorporated into the development of your systems, services, products and/or processes.

DPO (data protection officer)

Whether your organisation is required to appoint a DPO, whether one has been appointed and, if so, whether they meet the Regulation’s requirements.

Roles and responsibilities

The extent to which your organisation has defined and established appropriate roles and responsibilities, and delivered appropriate training and awareness.

Rights of data subjects

The processes your organisation has implemented to facilitate and respond to data subjects exercising their rights under the GDPR/DPA 2018.

PIMS (personal information management system)

ISMS (information security management system)

Scope of compliance

Whether your organisation has clearly defined the scope of its GDPR compliance, taking account of all data processing in which it has a part, whether as data controller or processor, as well as any data sharing

What to expect

Your consultant will work with you to schedule interviews with key individuals such as, the Head of IT, Privacy Manager, Brexit Project Manager and Head of Operations.

In the interviews, your consultant will ask questions to help them establish whether the organisation is aware of the tasks required and if so, whether it is on track to complete them.

The interviewees should not need to prepare for the interview, but if they have a Brexit project plan, it would be useful for them to have it available.

After the interviews, the consultant will produce a report showing clearly what actions are not started, started but at risk, and on track or completed. This will help you identify and fill any gaps in your preparations.

What comes next?

Your consultant can help you to implement the recommendations. Your support plan can be tailored to your requirements.

Example Service 1 - A little help

We can provide you with telephone and email support to answer any questions you may have as you work through your plan.

We typically provide this as pre-paid days, which can been drawn down in 15 minute increments on the basis of the time taken to answer each query.

This is suitable for simple questions with simple answers. If your question is more complex, we will let you know and provide you with a suggested approach for us to help you resolve it.

contact us

Example Service 2 - A lot of help

In one week, we could:

Review your policies, procedures and risk registers and highlight areas that will need review.
Work with you to identify the most appropriate lead supervisory authority and advise you of any actions you need to take, such as paying a registration fee.
Review your roles and responsibilities, including your DPO if you have one, and advise you of any training needs resulting from Brexit.
Review your Article 30 Records of Processing and highlight priority processes for review.
Review your contract library and highlight the contracts that will need to be renegotiated.
Work with your project team to ensure they understand the actions allocated to them and the requirements for completing each task.

Other services of interest:

EU GDPR Representative Service

If you process data belonging to EU citizens but do not have an establishment in the EU, you may need to appoint an EU Representative. The EU representative acts as a local contact for data subjects and supervisory authorities in relation to all issues arising from the processing of personal data.

Our sister company GRCI Law can act as your EU Representative and act as your point of contact for EU citizens and EU supervisory authorities.

visit grci law

Privacy as a Service

Our sister company GRCI Law can provide privacy compliance and legal services to support you to comply with your obligations. With Privacy as a Service you:

Achieve GDPR and DPA compliance quickly, easily and cost-effectively.
Remain one step ahead with affordable advice, guidance, training and support.
Reduce your privacy risks with one simple and affordable subscription service.
Enjoy peace of mind with your own dedicated, outsourced DPO or data privacy manager.