“There is a cliff, whose high and bending head looks fearfully in the confined deep. Bring me but to the very brim of it” says the blinded Earl of Gloucester in Shakespeare’s King Lear, thinking that he is at the edge of the famous white cliffs of Dover.
Right now, the whole of the U.K. appears to be on the same spot looking over a precipice. However, this is not the moment to be blind. As politicians struggle to find a magic formula for a prosperous Brexit, businesses are stepping up their efforts to mitigate the damage of a possible “no-deal Brexit.” The data protection community is no different.
The proposed withdrawal agreement would have preserved the status quo in data protection terms, at least until the end of the transition period in December 2020. However, if the U.K. leaves the EU without a deal, the implications for international data flows and privacy compliance generally will be severe. Therefore, British pragmatism demands an urgent and thorough approach to preparing for the eventuality of a no-deal Brexit.
A comprehensive action plan in this situation should consider the following:
EU to UK Data Transfers Arrangements
As a third country without an adequacy finding by the European Commission, the U.K. will automatically be regarded as unsafe for personal data originating from the EU. This is actually the case for the majority of the countries in the world, but it represents a huge disruption when compared to today’s frictionless data flows between the EU and the U.K. In practical terms, this will require identifying current and future EU-U.K. data transfers and urgently ensuring that U.K. entities become “safe importers” of data in data transfers agreements or through binding corporate rules.
U.K. to “rest of the world” Data Transfers Arrangements
Data transfers to the EU or adequate jurisdictions – including to organizations covered by the Privacy Shield – should be a non-issue, but onward transfers of EU data might be problematic. This is because any contractual arrangements imposed on U.K. entities to legitimize data transfers are likely to require the same obligations to be passed on to any third parties that will be processing the data. Therefore, existing arrangements between U.K. organizations and those based elsewhere that are recipients of data originating from the EU may need to be revised.
Alternative or Additional Lead Supervisory Authority to the U.K. ICO
One of the most promising changes brought about by the EU General Data Protection Regulation is the one-stop-shop model of supervision for multinationals operating across the EU. Many of them are already subject to the competence of the U.K. Information Commissioner’s Office due to having their main European establishment in the U.K. With the U.K .ceasing to be an EU member state, an alternative lead supervisory authority will need to be selected, or possibly an additional one acting in parallel with the ICO. However, the strict and complex requirements associated with this demand serious strategic thinking and extensive planning.
This exercise will also apply to the growing number of multinationals seeking new approvals for their BCRs. Expect numerous three-way conversations between applicants, the ICO and the potential new scrutinizing authority.
EU Representative if Subject to the GDPR on the Basis of Article 3(2)
Like many other non-EU-based controllers and processors, UK entities subject to the GDPR as a result of their remote commercial operations or online profiling activities in the EU will need to appoint a local representative. Again, this is not a simple exercise, as it requires some strategic thinking as well as specific practical steps to make that appointment valid.
For EU-based Controllers, Dealings with U.K. Processors
In addition to all of the above, U.K.-based providers of data processing services will need to offer express contractual safeguards to meet their European customers’ expectations and compliance requirements. It is very likely that many of those customers will not be even aware of the fact that engaging a U.K. processor after Brexit may attract additional data protection requirements, so U.K. processors are strongly advised to be upfront about it and proactively assist their own clients.
Other GDPR Compliance and Documentation Requirements
Finally, there are essential compliance requirements in the GDPR that involve extensive documentation – from records of processing activities under Article 30 to data protection impact assessments under Article 35. These may not be seen as operational priorities but they are nonetheless key elements of the whole European data protection framework. Addressing any necessary changes to this documentation to reflect the new reality of Brexit should also be part of the plan.
All of this at a time when U.K. data protection is already subject to GDPR rules and the scrutiny of the Information Commissioner. The fact that Brexit is affecting data protection matters to this extent shows how toxic a potential no-deal scenario may be and how it will impact the digital economy.
This article was originally published on IAPP’s Privacy Perspectives.