Brexit — data protection

We look at how Brexit has affected the flow of personal data under the new regime and the recommendations for UK organisations.

The UK is now under a new data protection regime requiring organisations to make changes to the way that they share personal data under the UK’s Data Protection Act 2018 (“DPA”) and the EU’s General Data Protection Regulation (“GDPR”).

The flow of data to and from the EU will be essential for organisations in the UK that use suppliers based in the EU or have customers that are EU data subjects as the DPA and GDPR both have extra-territorial effect. This means that even if a country is not subject to those regimes, it must comply so that it can lawfully process personal data of EU or UK data subjects.

The DPA implemented the GDPR and the Privacy and Electronic Communications Regulations into UK law and under the Trade Agreement European case law continues to apply even after Brexit however, as a non-EU country the UK is subject to the EU’s adequacy decision.

The EU has granted an interim adequacy decision so the UK can continue to rely on the previous regime and export data to EEA countries for up to 6 months from 1st January 2021 in the hope that an adequacy decision will be delivered by the end of the 6 month period.

What can organisations do in the lead up to the adequacy decision?

The UK should act as though it is a third country so that in the event it does not receive an adequacy decision it can lawfully export and import personal data.

The ICO sets out comprehensive guidance on the measures that organisations can take:

• conduct risk assessments on the type of data being exported, how and why will be processed by the data importer, the processing operations and retrieval or deletion of records;
• use Standard Contractual Clauses (“SCCs”) — SCCs should be inserted into contracts and are non-negotiable requiring both the data exporter and importer to comply with its requirements;
• Binding Corporate Rules can be implemented instead of SCC’s and are policies that allow multinational companies to transfer personal data between entities. These may be more popular with group financial services firms for example that have a presence in the EU;
• appoint separate DPOs for the EU and UK to deal with the requirements under each regime.

Guidance following the Schrems II ruling

The European Data Protection Board (EDPB) published comprehensive guidance on supplemental measures in the wake of Schrems II for organisations that deal with personal data under the GDPR and make them responsible for verifying their compliance with the international data standards. The guidance goes even further than the legislation as its recommendations comprise wide ranging measures from changes to policies, due diligence and considering any restrictions imposed under the data importer’s legislation.

The need for SCCs will fall away if the UK receives an adequacy decision and this means the UK can return to dealing with EU data flows in the same way that it did before Brexit. This will make it easier for businesses when doing business with the EU.