The Government plans to incorporate the General Data Protection Regulation (GDPR) once the UK leaves the EU. If your company operates solely in the UK, and has no data transfers to countries outside the UK, you may not need to do much in the way of compliance with data protection regulation, so long as you are effectively complying with the GDPR now.
However, if your company has channels of data flowing in and out of the European Economic Area (EEA), then you may need to make sure you’re complying with both the UK data protection regime and the EU regime after exit.
This article summarises the six key steps the Information Commissioner’s Office has recommended that companies take in relation to data protection if the UK leaves the EU without a deal.
The Six Steps:
1. Continue to comply
Keep ensuring your company is complying with the GDPR, as upon exit the Government is intending to bring the GDPR directly into UK law to sit alongside the Data Protection Act 2018.
Therefore, given that various assurances have been provided by the UK Government that most GDPR requirements will stay the same, it is of primary importance that your company is complying with the GDPR principles, rights and obligations.
If you have a data protection officer (DPO), then it is reasonable for them to combine their future UK responsibilities with any ongoing EU responsibilities if: they have expert knowledge of both UK data protection law and the EU regime; and are “easily accessible” from both locations.
2. Transfers from the EEA to the UK
Identify where you receive data from. If your company has offices within the EEA, you may have binding corporate rules (BCRs) in place across your group which describe the new status of the UK as a third country, and therefore transfers of data from the EEA to the UK are likely to be permitted. However, this is subject to confirmation from the European Data Protection Board (EDPB).
If you don’t have BCRs in place, then it is important to consider the legal basis for the transferring of personal data from the EEA to the UK.
3. Transfers from the UK to the EEA and beyond
The UK Government has stated previously that transfers to EEA countries from the UK will not be restricted, which means that there will be no additional requirements for transfers, although this is subject to the final outcome of Brexit.
Transfers from the UK to countries outside the EEA are projected to be likely to remain similar, although this will be subject to further regulatory guidance and the final outcome of Brexit.
4. European operations
If your company spans across Europe, then be mindful that the UK’s exit from the EU may affect the data protection regimes that apply to you.
With regard to your UK organisation, it will be governed by the UK data protection regime, which will be regulated by the ICO. However, if you have offices within the EEA, the EU regime will apply to your activities within the EU even after exit and the EU regime will no longer be regulated by the ICO.
If you have only an established office within the UK but offer goods and/or services or you monitor the behaviours of individuals within the EEA, then this processing of data will be governed by the EU regime.
Take a look at your privacy information and documentation; there may be parts that need updating once Brexit happens. Although the requirements for privacy notices and documentation may not change radically, there could well be references to EU law or mentions of EU terminology that will need changing by exit.
6. Organisational awareness
Ensure that the key individuals within your company are aware of the issues surrounding data protection and Brexit. When reviewing and creating business plans and strategies, incorporate systems through which any updates on data protection will filter through to key people in your company.