Posted by Ruth Cohen, legal and research executive and data protection officer at Legal Futures Associate VinciWorks
I recently met with officials from the European Commission to discuss what Brexit will mean for GDPR compliance, including the current extension until the end of October.
What happens to GDPR during the Brexit extension period?
The UK remains an EU member state and so EU law is still applicable. However, this will change when the UK exits the EU. GDPR will no longer be considered the law in the UK, despite the fact that GDPR has been written into it via the Data Protection Act 2018.
What will happen to GDPR in the UK post Brexit?
The UK will become a ‘third country’ under GDPR, and will therefore be subject to the same restrictions on data transfer from the EU as any other.
What will that mean for data coming in and out of the EU from the UK?
In order to ensure that personal data can continue to flow from the EU to the UK, there must be either an international agreement between the two – similar to the adequacy decision between the EU and the US relating to the privacy shield, or PIPEDA between the EU and Canada.
Alternatively, there needs to be a decision of the European Commission that the UK has an adequate level of data protection under article 45 of GDPR.
How easy will this be?
It is clear that there is nothing presently in process which will allow the UK to be automatically recognised under article 45. Therefore, you cannot presume the UK will be GDPR compliant on Brexit.
What is the process to be recognised under article 45?
This involves: a proposal from the European Commission, an opinion from the data protection board, approval from representatives of EU countries, and adoption of the decision by the European Commission.
How long could this process take?
It usually takes six to nine months to complete. There are also various judgements of the Court of Justice of the European Union, such as the Tele2 case, which seems to throw the adequacy level of the UK into question, suggesting that it won’t be as straightforward as people may think.
What next steps should I take?
- Review the flow of data to your firm, and try to identify where you receive data from the European Economic Area, including from suppliers and/or processors;
- Ensure you have adequate contractual clauses in place in the event the UK leaves the EU;
- If you are based in the UK, and not in any other member state, and you offer services to people in the European Economic Area, then it is recommended that you appoint a local European representative to be a contact point for the data protection authorities;
- Review all privacy information and documentation to identify which details may need updating when the UK leaves the EU; and
- Ensure key people in your organisation are aware of the ongoing importance of GDPR compliance, regardless of Brexit. This includes ensuring all employees are sufficiently trained.
What are adequate contractual clauses?
In order to safeguard data protection for data transfer between the EU and the UK, the recommendation at the moment would be to ensure that all your contracts that may be affected by Brexit include the standard contractual clauses provided by the European Commission.
The commission has suggested wording for these on their website depending on whether the agreement is between a controller and controller, or a controller and processor. They are also available in multiple languages.
How can I ensure my staff are sufficiently GDPR compliant?
All personnel should be aware of the ongoing importance of compliance with GDPR, together with any specific implications of EU operations and data flows.
Furthermore, as we are approaching the one-year anniversary of GDPR enforcement, now would be an appropriate time to ensure that all employees have carried out the appropriate GDPR training.
It is recommended that staff train on GDPR once a year.
What is the key takeaway?
As a UK firm, don’t presume that there will be an automatic adequacy status for the UK in the event of Brexit.
As a result, you should review all agreements affected by GDPR. You should try to incorporate Standard Contractual Clauses where possible, and ensure that all employees understand the importance of GDPR, regardless of the implications of Brexit.