The last day of the awful year 2020 has finally arrived and it is the last day of the Brexit Transitional Period. What screaming issues will we face next week? There will be some, lorries bumper to bumper across Kent, sudden drop in income from financial services that we can no longer sell in the EU, a closed tap on the dataflows from the EU. All of these scenarios are reasonably likely, the EU did not want the UK to leave the club and still less does it want to show other potential waverers in the club that there are any easy options if you do.
If your business has not yet thought about dataflows from the EU, it is a little late now but what you need to know is:
- If your data comes direct from the data subject, rely on consent which is implicit when they fill in an online form, place an order or raise a query direct with the organisation. Just make it really clear on the website that your organisation is located in the UK.
- If your data comes via a third party, put in place the EU and UK approved standard contractual clauses. The appropriate version depends on the nature of the relationship between your organisation and the third party and be warned:
- There are not standard contractual clauses to meet the need in every situation
- The current clauses were issued under the 1995 directive and will be replaced shortly requiring your organisation to go through the process again within a year
- The new, draft clauses under consideration may change following the consultation period and may change again before being approved by the Information Commissioner in the UK as they reference the EU GDPR, EU Member States etc and so don’t really work in the UK under the UK GDPR.
(I did say that the EU will not be making it easy for us.)
Once you have selected your mechanism for authorising international dataflows between your organisation in the UK and EU citizens, update your Privacy Notices to show that data is being transferred to a foreign country and the legal mechanism relied upon for the transfer.
If your organisation has a lot of EU consumers you are likely to need representation in the EU for data protection purposes. The European Data Protection Board has explained how this works and what your options are here https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf
So, good luck with that and remember that Data Protection Consulting will be around next week to help if it all goes haywire.
Mandy P Webster, Data Protection Consultant