Neil Ross, Policy Manager for Digital Economy at techUK, outlines what businesses need to do to ensure their data remains compliant, once the UK leaves the EU.
As a member of the EU the UK enjoys access to the EU’s common framework for data protection. This framework allows businesses to transfer personal data within the EEA and between the 13 other countries the EU has full or partial adequacy agreements with without having to provide extra reassurances beyond complying with GDPR (the UK GDPR is contained within the Data Protection Act 2018).
In the event the UK leaves the EU without a deal the UK will lose access to this common data protection framework at the point of exit.
If this happens, UK businesses that exchange personal data with businesses in the EEA will have to ensure ‘appropriate safeguards’ are in place to transfer data in a manner that complies with GDPR rules. For example, inserting Standard Contractual Clauses (SSCs) into contracts or seeking to apply Binding Corporate Rules (BCRs).
One further solution is for a third country (in this case the UK) to be given ‘adequacy’. Countries can be granted adequacy by the European Commission (EC) if their data protection regimes are deemed to provide sufficient protections to personal data in their jurisdictions. Receiving adequacy requires an assessment by the European Commission, and if granted would allow personal data to be transferred to and from the EU in a similar manner as is done now.
The Government’s revised political declaration contains a pledge to negotiate an ‘adequacy decision’ with the EU by the end of 2020. This commitment existed in the Theresa May withdrawal agreement and it is very welcome to see that it has been kept in the Government’s new revised political declaration.
However, the political declaration remains unratified and the shortest time an adequacy decision was completed was in 18 months, currently there are just 13 months till the end of 2020. As a result, there remain not insignificant hurdles to reaching an adequacy agreement.
Business which exchange personal data should as a result seek to upskill their processes to ensure that they are familiar with the appropriate safeguards needed under the provisions of the GDPR to transfer data in the event of a no deal exit or if for any reason an adequacy decision has not been reached by the end of the transition period in a deal scenario.
Upskilling on the requirements needed for transferring data abroad should not just been seen as a defensive task. When the UK leaves the EU, appropriate safeguards will be needed to transfer personal data to and from countries which have not reached adequacy decisions with the UK once it has left. This means that having a good grip on the requirements needed to transfer personal data can make businesses more confident traders in an increasingly data driven economy.
To upskill on data transfers techUK recommends a number of practical steps businesses should take:
- Consult the ICO’s website; the ICO is the UK’s data protection authority (DPA) and has produced detailed guidance for businesses on transferring data, including providing model clauses to amend contracts to support international data transfers.
- Map your data flows; many businesses simply will not have done this due to there being little need before. However, with Brexit, the growth in personal data transfers as a part of day to day trading and increased attention being paid to data protection this is a vital exercise and will help you take effective action if problems arise, as well as providing a better understanding of your business activities.
- Prioritise key data flows; smaller businesses may not have the time or capacity to map all their data flows. In this case you should prioritise key flows that are important for the business.
- Upskill your supply chains; techUK understands the awareness of changes to data protection rules in the EU as a result of no deal Brexit is very low. However, businesses in EU countries will need to take steps to continue exchanging personal data with the UK if the UK leaves the common data protection framework and does not have adequacy. UK Businesses will therefore need to speak with their key data trading partner to ensure model clauses and any other steps are taken to ensure business can continue as normal and with confidence.
- Keep records and show your working; DPAs are not trying to catch you out, their responsibility is to ensure businesses are taking all the necessary steps needed to protect personal data. Therefore, keeping records on your activities and having documents and contracts easily searchable will stand you in good stead and improve your compliance posture if issues arise.
- Get to know you main DPAs; while each national DPA will follow similar rules in a jurisdiction which applies the GDPR, the character of each DPA can vary and this can have an impact on how they interpret and apply the rules. Therefore, if you principally trade in one or a few jurisdictions getting to know your main DPAs and their standard operating procedures can help your business act smarter and be more confident when doing business.
For further information please consult the ICO’s website for information on Brexit and international transfers or please visit techUK’s Brexit hub.
You can also view a recent webcast run by techUK and Deloitte on transfers of personal data and how to prepare for a possible no deal exit here: https://event.on24.com/wcc/r/2106397/D7C1907699077DF4AD1197C837E13D67
*Please note you will be asked to register to access this recording, details of how any data will be used can be found at the above link.