How does Brexit affect your Organisation’s data protection?
On the 31st December 2020, the Brexit transition period came to an end. The Brexit Trade Deal negotiated on the 24th December 2020 allows for the delay of any changes for at least 4 months, giving your organisation more time to prepare.
Does this apply to my organisation?
If your Organisation does not have offices, branches or other establishments in the EEA (European Economic Area) but you undertake data processing of individuals within the EEA in relation to goods and services that you offer then the below checklist will apply to you. This will not apply to you if you send and receive data into and from other countries (including European countries) directly with consumers. If, however you store data in other countries via a cloud infrastructure for example, this will still apply to your organisation.
Our platform can help you simplify this process by mapping out your data flows so you can see the countries you send your data to, the types of data you hold and the rules to follow under each circumstance.
How can my organisation prepare?
1. Map your data flows
You need to identify and map any flow of data between your organisation and the EEA. It is also helpful to identify the time and date of these data transfers so that you can identify new data being collected now that the transition period has ended and those that were collected before the end of the transition period (1st January 2021) which will be considered as ‘legacy data’. Legacy data is personal data of individuals outside of the UK being processed within the UK, which were either acquired before the transition period ended, or where it is being processed on the basis of the Withdrawal Agreement, after the end of the transition period. Any data transferred before will be subject to EU GDPR whilst data collected after this date would be subject to UK GDPR rules. EU law refers to the law applicable on the last day of the transition period.
Note: the ICO advises that large volumes of data, special category data (such as medical records) or criminal convictions, and business critical data should be mapped first and detailed fully.
2. Update your Records of Processing Activities (ROPAs)
Once you have identified and mapped out your data, your organisation should update your Records of Processing Activities (ROPAs) accordingly to evidence your compliance.
3. Identify the relevant safeguards
As the UK is now considered a ‘third country’, this means that transferring data between the UK and the EEA would involve extra safeguards that were not needed before Brexit. Until a ‘decision of adequacy’ has been made which would deem the UK as having met the EU data protection standards and thus able to transfer data freely, these safeguards can be in the form of:
SCCs - The most common for SMEs are Standard contractual clauses (SCCs) which are contracts that have been pre-approved by the EU that allows a company to continue transferring data between the EEA after the UK leaves the European Union. This is only the case where SCCs provide for “essentially equivalent” protection as in the EEA and the ICO has a useful tool for SMEs to determine whether this is the right form of safeguard for your organisation.
BCRs - For larger corporations, it is more common to adopt binding corporate rules (BCRs) as they are suited for international transfers between separate entities within the same organisation and thus better suited to global businesses. They are internal codes of conduct which apply to multinational groups.
There are a number of exceptions to this as set out in Article 49 of the UK GDPR under which you may be able to continue transferring data such as:
· Explicit consent from the individual to have their data transferred between the EEA and the UK in this precise manner and not just a general acceptance from the individual;
· Performance of a Contract in which you have a contract with the individual whose data you are transferring and the transfer itself is only on an occasional basis;
· Reasons of Public Interest or Exercise of Legal Claims, both of which involves following prescribed laws and regulations;
· Transfer of public registers;
· In the Vital Interest of someone unable to consent; and
· Compelling legitimate interest of which the transfer is a one-off transfer.
Further information on what constitutes the above-mentioned exceptions complete with examples can be found on the ICO website.
4. Identify and appoint a Representative in the EEA
Identify whether you process an individual's data from the EEA that relates to the goods or services you offer them or if you are monitoring the behaviour of individuals in the EEA. If your organisation answers yes to either of these, you will need to consider appointing an EEA representative. Such representatives must be authorised in writing which can be done via a simple service contract. The representative must also be able to effectively communicate with the data subjects and so should be ideally using the language of the data subjects. Finally, representatives should be provided with relevant and up to data information in order for them to fulfil their role.
Note: your data map should be able to tell you which country within the EEA is the most suitable for you to appoint a data representative in.
5. Identify the EEA Lead Supervisory Authority
A Lead Supervisory authority acts as a lead on behalf of other EEA countries so that controllers and processors inside the EEA need only deal with one supervisory authority as opposed to 28, when they conduct cross-border processing (transferring data between the EEA countries). This is known as the ‘one stop shop’ mechanism. This also means that companies should only be investigated by one authority and issued with one fine. But since the transition period has ended, the UK can no longer conduct ‘cross-border processing’ as it is now a third country and consequently, the UK ICO can no longer be viewed as a Lead Supervisory Authority for the EEA. As such, your organisation would need to comply with both a designated EEA lead supervisory authority as well as the UK ICO.
For example, if you currently have branches or establishments in an EEA country as well as a UK branch and you process the data across the two branches, you are conducting cross border processing which will no longer fall under the bracket of cross-border processing. As such, if there is a data breach affecting your customers both within the EEA country and the UK, you may be liable under both the UK Supervisory authority (ICO) and the EEA lead supervisory authority, and be fined on both occasions. Equally, if you process data solely within the UK but the processing may affect customers within the EEA, you are still liable under both authorities should your processing cause a data breach that impacts customers in those countries.
You should also consider updating your privacy policies to reflect the changes your organisation will make in light of the end of the transition period so that your customers understand how their data will flow between the EEA and the UK.
7. Data transfers between the UK and non-EEA countries
There is a need to comply with the UK GDPR if non-EEA countries wish to send data to the UK. The UK will recognise existing adequacy decisions such as those negotiated with Canada and Israel but are also free to make new ones from 1st January 2021. A list of the current adequacy decisions can be found here. If adequacy decisions are not achieved, the UK will need to meet each sender’s local law requirements.
Overall, you should consider where your data is currently being processed and where your data processors and controllers are located. If it is within an EEA territory, you should look into appointing an EEA Representative that fits the aforementioned criteria and identifying the Supervisory Authorities you may need to deal with. Organisations will also need to consider on what basis data is being transferred into the EEA (goods or services or monitoring purposes) and the types of safeguards that are best suited to your organisation, in light of no adequacy decisions yet being made.
Privasee does not hold the above article to constitute legal advice in any form.
More information can be found on the ICO Website - Data Protection now the transition period has ended.