The March deadline for Brexit approaches and we are still no clearer on what the position will be in April 2019 so what steps should you take now to prepare for Brexit (if you have not already done so!)
The key issue is that GDPR differentiates between personal data processed in EU Member States and that processed in countries outside the EU called “third countries”. There are extra compliance requirements if you transfer personal data to a third country.
Following Brexit the UK will be a third country to the other EU Member States and will either need
- a global agreement with the EU to allow existing personal data flows to continue uninterrupted or
- consent of individual EU citizens to allow their personal data to be processed outside the EEA or
- An agreement with a data controller located within the EU recognising the transfer of personal data to a third country (the UK) and applying the EU Model Clauses to the arrangement.
Other approved data transfers to third countries may take place only to exercise or defend legal rights or for reasons of public interest.
In November 2018 the EU indicated that, in the event of a no-deal Brexit, there are no contingency plans for an adequacy decision to allow continued data transfers between the EU and the UK. So a no-deal Brexit means that there is no global agreement with the EU to allow existing personal data flows. If your business involves data transferred from EU citizens directly such as online retail, gaming or membership administration then consent would be the appropriate mechanism to meet GDPR standards for importing personal data to the UK.
If your business involves personal data relating to EU citizens transferred via a controller or processor located within the EU, the most appropriate mechanism to meet GDPR is to amend existing contracts with the transferor to include the Model Clauses, controller to controller, or controller to processor, as appropriate. Even if your existing processes involve data collection direct from data subjects in other EU Member States it is worth considering “passporting” data in from the EU via an organisation located within it and putting the model clauses in place if it is difficult to obtain and maintain the consent of individual data subjects.
The timing is critical now, not only do you need to decide on the best strategy and engage with customers and partners in other EU Member States, but also to revise your privacy notices. Corporate partners in the EU also need to revise their privacy notices to show that they export personal data to the UK and how that data is protected in a third country.
Appointing a representative
Regardless of hard or soft Brexit there will be a need for Appointed Representatives in some cases. GDPR provides that organisations located outside the EU that offer of goods or services to EU citizens must appoint a Representative in each Member State where they have customers. This is to facilitate communication between the organisation and the local supervisory authority. An appointed representative is also required if citizens are being monitored by organisations located outside the EU.
So, a business that sells to French consumers will require an appointed representative in France. An online business selling across the EU will be required to designate a representative in each member state. There is a saving provision, an appointed representative is not required if the processing is both occasional and does not include large scale processing of special category data (health, race, religion, philosophical beliefs, TU membership, genetic and biometric data, details of sexuality or sex life, criminal convictions) and is unlikely to present a risk to the rights and freedoms of data subjects.
As a rule of thumb, if your organisation has designated a Data Protection Officer, that indicates that your data processing activities represent a certain level of risk and it may be difficult to argue that the saving provision will apply in that case.
Representatives should be appointed in writing authorising that person/company to “be addressed” either as well as or in place of the controller/processor. Communication will be from supervisory authorities and data subjects on all issues related to personal data processing and for purposes of ensuring compliance with GDPR.
The UK disapplied Article 27 in the Data Protection Act 2018 so there is no equivalent requirement for controllers in the EU to appoint a representative if they process personal data relating to UK citizens.
Changes to privacy notices
Once a strategy has been decided and implemented, it needs to be explained to data subjects in the privacy notice. This means changing documentation, customer paperwork and the website privacy notice. As ever, keep a record of compliance activity so that you can demonstrate to the supervisory authority (the Information Commissioner’s Office in the UK) that steps have been taken to comply with the law.