As Brexit approaches, it is increasingly important to consider what impact, if any, it may have on your data processing activities.
This checklist is designed to help UK-based companies engaged in cross-border processing or which are part of an international group, identify potential issues and plan ahead to ensure you can continue operating as usual, particularly in the event of a no-deal scenario.
Will the GDPR still apply?
If the UK leaves the EU without a transitional arrangement in place, the draft Data Protection, Privacy and Electronic Communications (Amendment etc) (EU Exit) Regulations 2019 ("2019 Regulations") will implement EU GDPR standards in the UK from exit day. The draft 2019 Regulations were tabled in revised form in January this year, along with a raft of other proposed statutory instruments relevant to Brexit. The Regulations consolidate and amend the EU GDPR and UK Data Protection Act 2018 to create a new UK GDPR. As with the EU GDPR, the UK GDPR will have extra-territorial reach.
The UK GDPR will apply to the processing of personal data if:
- You are located in the UK.
- You offer goods and services to, or monitor the behaviour of, individuals in the UK.
The EU GDPR may also continue to apply to you if:
- You have other branches or offices in the EEA.
- You offer goods and services to, or monitor the behaviour of, individuals in the EEA.
If a deal is reached and the UK enters into a transition period, it is expected that the EU GDPR will continue to apply during this period (and only certain parts of the 2019 Regulations, broadly relating to ePrivacy and online direct marketing, will come into force).
For a more detailed look at the post-Brexit data protection environment, see this article.
It may be necessary to implement or update transfer safeguards to protect cross-border flows of personal data, particularly for any transfers of EEA data into the UK, and any onward transfers of such data. You should consider the following:
Do you export personal data from the EEA to the UK?
Assuming the EC has not recognised the UK as providing adequate protection for personal data at the time of exit:
- Transfer safeguards will need to be implemented or updated to cover transfers from the EEA to the UK.
- You may need to revisit any Binding Corporate Rules which are in place across your group (particularly if they were approved by the ICO) or consider an alternative transfer mechanism.
Do you make any onward transfers of EEA data within the UK?
- Do you have appropriate flow down terms and contracts in place?
Do you make any onward transfers of EEA data from the UK to other non-EEA countries?
You will need to ensure adequate data transfer arrangements are in place.
If you export data from the UK to the US under the Privacy Shield, consider:
- To which Privacy Shield-certified organisations is data transferred?
- Has each recipient US organisation updated their public Privacy Shield commitment to expressly cover transfers from the UK (and, if they receive UK HR data, relevant HR policies)?
- If not, have you contacted your US business partners regarding updating their public Privacy Shield commitment?
Do you export data from the UK to the EEA, or elsewhere internationally?
The 2019 Regulations set out that the UK will:
- Continue to recognise the effect of existing European Commission Adequacy Decisions.
- Recognise all EEA countries, EU and EEA institutions, and Gibraltar as providing an adequate level of data protection.
- Recognise the effect of existing EU Standard Contractual Clauses.
- Recognise the effect of existing Binding Corporate Rules (BCRs) although note that it is unclear how EU regulators will view these, particularly where they have been approved by the ICO.
For further information to help determine which transfer safeguards may be most appropriate going forward, see this article.
Identifying Supervisory Authorities
If you engage in any cross-border processing, you may currently benefit from the regulatory 'one stop shop', which aims to ensure that an organisation need only deal with one Lead EU Supervisory Authority (SA).
While the ICO has indicated it intends to continue collaborating with EU SAs, it will no longer be part of the one stop shop mechanism (outside any transition period). The ICO will be an independent SA. This means you may need to re-consider the location of your Lead SA or whether you have one in the EU.
Is the ICO currently your lead supervisory authority?
- Is your processing likely to affect individuals only in one country, or across the UK and multiple EEA countries?
- Are you established in the UK?
- Are you also established in one or more EEA countries?
- Where is your main establishment?> In what country is your central administration?> Where do you make the main decisions about your data processing activities?> Where do your main processing activities take place?
For further information about determining your lead supervisory authority, please see this article.
Data Protection Officers
If you are currently required to have a DPO, this requirement will continue after Brexit, under both the UK GDPR and the EU GDPR where applicable. It should remain possible to have one DPO covering both the UK and EEA but you may want to consider whether they should be relocated after Brexit, bearing in mind:
- Were you required to, or did you choose to, appoint a DPO?
- Where is your DPO based?
- Will your DPO still be easily accessible from each of your locations?
- Do you need to notify a new lead SA about your DPO?
- Do you need to consider appointing an additional DPO in the EU or the UK?
- For further guidance about assessing your DPO requirements, please see this article.
Under the EU GDPR, organisations within its extra-territorial scope (offering goods and services to, or monitoring the behaviour of, individuals in the EEA) that are not located within the EEA must appoint an EU representative. This may have a particular impact on businesses operating in the EEA that are based in the UK. Questions to ask include:
- Are you located only in the UK, or in the UK and elsewhere internationally outside of the EEA?
- Do you offer goods and services to, or monitor the behaviour of, individuals in the EEA?
- Do you have any offices or branches in the EEA?
For further information on appointing an EU representative, see this article.
Consider whether any documentation needs to be updated or replaced, for example to change the applicable law, manage contractual requirements (including data protection warranties), to deal with data transfers, to include processor flow down terms or to comply with principle of transparency. Documents to review include:
- Data Protection Impact Assessments
- Legitimate Interests Assessments
- Privacy Policies and Notices
- Organisational risk records
- Processing Records
- Any agreements relating to UK/EEA transfers, including Standard Contractual Clauses, Binding Corporate Rules, Intra-Group Agreements, and Data Processing Agreements