A final and possibly hard Brexit is rapidly approaching. Whether it’s hard or negotiated, it will have an impact on the UK data protection regulation and GDPR. If you’ve not yet begun considering those impacts, now is the time. Since the UK will no longer be part of the EU, it makes sense to start with data flows and international transfers. Let’s look at what you should know about these data transfers and how to make sure you’re in compliance in a post Brexit world.
The Nature of Data Transfers
Luckily, there is some guidance. The European Data Protection Supervisor (EDPS) has written a document about data transfers. In it, you’ll find guidance to help you understand what’s expected.
The underlying principles are not that complicated, although that doesn’t mean implementation is easy. Keeping people personal data safe relies on data minimisation – collecting only what little personal information you need and then ensuring you have adequate safeguards in place. For example, the EDPS suggest the following:
- Determine what personal data you actually need to do to accomplish your goals and limit yourself to collecting only that data.
- Document the above exercise in writing, justifying why you need the personal to achieve your goals.
- Make sure that data subjects know what you’re doing and that you’re respecting their rights – this typically done through a privacy notice.
- Decide who needs access to the personal data and limit access only to those people.
In the event of an investigation, regulators want to see what certain measures were in place to protect the data and prevent it from falling into the wrong hands. You must be able to demonstrate that you’ve thought about the risks and taken preventative measures. Thorough documentation of the reasoning and processes is the best way to demonstrate what you’ve done and will reduce the likelihood of sanctions.
Data Transfers and Brexit
The current transfer period where the UK is still considered within the EU lasts until December 31, 2020. Starting in 2021, data transfers from Europe to the UK will need to be aligned with the principles of the GDPR.
Unfortunately, the authorities haven’t yet made it extremely clear what that means. The EU has the power to recognise another country’s transfer regime as equivalent to the EU, effectively white listing the country. This done when a decision has been made that that countries has adequate p levels of protection to its data subjects in place. This is also known as the adequacy decision.
Since the UK’s data protection regulation is based on the GDPR, this should happen. However, it’s unclear if the adequacy decision will be reached by January 1. If officials can’t come to a consensus, enterprises and organisations will need to take precautions. In other words, you should not assume that your current data protection will be enough for a safe data transfer.
Since it seems unlikely that the adequacy decision will be reached by the end of the transition period, if you have data transfers from the EU to the UK you need a contingency plan.
You should already have mapped inbound and outbound data transfers. Any processing activities involving transfer to the UK from Europe will need to be reconsidered.
Depending on the nature of the transfer, there are several legal basis for data transfers from the EU that can be considered. The most straightforward is using the Standard Contractual Clauses (SCC). The European Commission has laid out two sets of contractual clauses for international data transfers. You’ll need to determine which applies to your data transfer and then get the agreement implemented between you and the other party.
However, SCCs are not the only transfer mechanisms available. Other potential methods include ad hoc clauses, binding corporate rules and codes of conduct. Some are reserved for public authorities only, while others are dependent on the approval and adoption of the mechanism by your supervisory authority.
Business owners will need to check Art. 48 of the EU GDPR safeguards to be certain, but most businesses can rely on SCC to be enough to fulfill the requirements.
Update Your Documentation
Your privacy notice and internal documentation will also need to be updated after you’ve reassessed your legal basis for transfer. It’s especially important that you’re clear to data subjects as to what the legal basis for transfer you’re using is.
What’s the Best Way to Prepare?
It helps to be proactive right now, especially with the December deadline looming. The European Data Protection Supervisor does not simply recommend having a plan in place — officials recommend implementing that plan before December 31. This way, there’s no question about whether you took the proper steps.
There’s a lot to learn about how different data protection laws apply and you need to be organised to ensure you can demonstrate you’ve considered how they impact your business. GDPR365 helps companies do just that, so you can evolve and stay compliant as the rules change.