You can’t turn on the news without hearing about Brexit, but exactly how it is going to affect your business in relation to data protection?
What UK companies should do about data protection and GDPR when we Brexit
Six Steps to GDPR Compliance post Brexit:
- Get a hold of yourself. Don’t panic. Carry on complying with GDPR and DPA (2018)
- Get a hold of the problem. Figure out if you are going to be impacted and how
- Identify policies, documents, assets, and controls that may need to change
- Identify any changes to your Statutory Authority and territorial representation
- Keep up to date as things evolve, and become clearer
- Get a hold of your team. Let people know a change is coming and where they can get details
Get a hold of yourself. Don’t panic. Carry on complying with GDPR and DPA (2018)
UK companies must comply with the Data Protection Act (2018), which was built with the EU GDPR in mind and is closely aligned to it. When Britain leaves the EU, the plan is that the GDPR will be incorporated into UK legislation alongside the Data Protection Act, although it will be amended to be relevant to a UK-only context.
We know that many companies, large and small, are not totally compliant with GDPR or data protection law today, so their focus should be very much on understanding and meeting those requirements as they are unlikely to change significantly during the transition.
UK-based Data Protection Officers can continue in their role, as long as they remain abreast of UK and EU regulation, and are easily accessible from the UK and from inside the EEA.
Get a hold of the problem. Figure out if you are going to be impacted and how
If you are a business operating completely inside the UK, with UK staff, suppliers, customers and the like, there is probably not much more than this focus on UK legislation to achieve. Continue to follow advice from the ICO and be ready to demonstrate compliance when asked.
If you need help with identifying your information flows, collating your policy and privacy documents, and organising your Information Security Management System, then contact us and we might be able to help.
Companies that send and receive personal data to/from the EEA (European Economic Area) will need to ensure that they have adequate safeguards in place to lawfully continue those information flows. At the point of exit, Britain will not have a formal adequacy decision from the EU and any EU-based organisation will need to ensure that adequate safeguards are in place in the absence of that decision.
There will be new UK transfer provisions and documentation requirements for sending personal information to the EU. The UK Government has indicated that you may continue to transfer personal data from the UK to the EU under a transitional adequacy decision and intends not to restrict this information flow.
These UK transfer provisions will also import the existing adequacy decisions from the EU, allowing data transfers from the UK to those jurisdictions without any change. Data transfer to countries without an adequacy decision will remain as they are, for the moment.
As such, it is crucial that a company can easily reference documentation describing their information flows, sufficient to identify flows involving personal information transfer.
Identify policies, documents, assets, and controls that may need to change
For information flows to third parties, contracts may need to be amended with Standard Contractual Clauses (SCCs) to cover affected information flows. For flows internal to a business group, Binding Corporate Rules (BCRs) may need to be reviewed to ensure lawful transfer of personal information between business units operating across the UK-EU boundary.
It’s time to revisit your privacy policies, employee policies (if you employ people from the EU), and the Data Privacy Impact Assessments (DPIA) you have completed for all of your significant processing of personal information.
Make sure your inventories include, if necessary, territorial information about where the asset is located – be that a virtual server, computing device, or third party application or SaaS provider.
Identify any changes to your Statutory Authority and territorial representation
Multi-national organisations currently regulated by the ICO may find that their EU operations are no longer regulated by the ICO. Those businesses will need to identify whether they can still benefit from the “one stop shop” arrangements that allow a company to have a single Statutory Authority (SA) instead of having to have arrangements with (possibly) all EU members.
If you are in the UK, but sell products and services into the EU, or monitor EU data subjects, you may need to arrange a representative in the EEA, separate to your DPO. This cannot be done by any Data Processor you may be otherwise relying on. You do not need to appoint a representative if you are a public authority, or if your processing is only occasional, low-risk, and does not involve special category or criminal offence data on a large scale.
Keep up to date as things evolve, and become clearer
The UK government and EU bodies are trying to minimise disruption and reduce the impact of Brexit, but there will be challenges, reflection, changes, and adaptations, through any delay, transition period, and early into the new relationships that emerge.
Businesses, particularly those focused on consumers, and handling large amounts, or particularly sensitive personal information, need to be on the ball. Working out your lead SA, ensuring the right members of staff are engaged and informed, and getting your company’s ISMS documentation into a place where it is easy to access and well organised will help cope with any changes that will appear the immediate future.
What does Brexit mean for GDPR? Let other people know a change is coming and where they can get details
activereach is a UK company, operating under UK law and registered with the ICO. The ICO publishes detailed guidance to organisations about preparing for Brexit.