How to deal with Privacy after Brexit in 5 steps
If your business has an affiliate in the United Kingdom (‘UK’), of you are using a service provider in the UK, then now is a good time to find out the possible consequences of Brexit for your privacy compliance.
As long as the UK is a member state of the European Union, all personal data may freely flow from the European Union / European Economic Area (‘EU’) to the UK, and from UK to EU. In the event of a ‘no deal’ Brexit, this situation will change. In that case, the flow of personal data from the EU to the UK will be bound to restriction from the General Data Protection Regulation (GDPR). But why is that, and what can you do about it?
Here are 5 steps to take in order to stay GDPR compliant after Brexit:
#1 Just keep calm
The UK government has stated that it will ‘adopt’ the GDPR into UK law after Brexit. The privacy law in the UK will remain in place, and will be nearly identical to the GDPR. So just keep calm, and continue with your GDPR implementation program, if you did not start (or finish) it already.
#2 Check your data flows
Review your current situation, where you currently transfer personal from the EU to the UK. You can check this in your record of processing activities (the so-called ROPA). If you do not have a ROPA, then start with that, because that is the first step towards GDPR compliance in any event.
#3 Sign EU Model Clauses
Once you identified the data flows from the EU to the UK, it is time to ‘legalize’ it. The most common and fastest way is to sign the standard contractual clauses that are published by the European Commission and are already widely used for data transfers outside of EU. These ‘standard clauses’ are the so-called ‘EU Model Clauses’ that all ‘sending’ (in the EU) and ‘receiving’ parties (outside the EU) should sign. You can find the EU Model Clauses on the website of the European Commission. These EU Model Clauses are older than the GDPR, but can still be used (they have not been updated yet).
The effect of signing the EU Model Clauses is that the receiving party (outside of the EU) is contractually bound to the same level of protection that the GDPR provides. Your counterparty basically promises you to treat the personal data in accordance with the GDPR. In that case, it is ‘safe enough’ to send the data outside of the EU. It was already safe sending personal data to the UK, but after Brexit, this needs to be contractually confirmed with the EU Model Clauses.
Someday, the EU may grant a general exception (‘adequacy decision’) for all data transfers to the UK (like they recently did for Japan, on 23 January 2019). But that may still take many months. So in the meantime, it is time to sign the EU Model clauses.
There is also some good news: According to ICO, there is no action required for data transfers from UK to EU. The UK government intends to make a formal exception (local adequacy decision) to cover these transfers. As soon as the exception applies, you can continue sending personal data from the UK to the EU without a problem.
#4 Update your policies
If you have your head office in the UK but do business elsewhere in the EU, you may have to deal with different European privacy authorities, one for UK and one for EU countries. After Brexit, the ‘One Stop Shop’ principle for privacy authorities will no longer apply for UK-based companies. This means that you may have to appoint another contact person who will represent you in the EU, in case of any privacy questions or investigations. You will also need to update your privacy policies and workflows to reflect these changes in your organization and contact details.
#5 Communicate the new situation
Once you have signed the additional contractual clauses and updated your privacy policies, it is time to inform everyone about the new changes. This can be done in a newsletter by email, or on your website, depending on how you normally communicate internally and externally. This communication is part of your responsibility to be fully transparent on how you deal with personal data, inside and outside of the EU.
Yes, Brexit will lead to some administrative hassle for your privacy compliance.
No, there is no need to make a big fuss about it, as far as Privacy concerns. Planning ahead and taking the above 5 steps will bring you closer towards privacy compliance after Brexit.
Just keep calm, and carry on with GDPR compliance!
Want to know more about how to prepare your privacy compliance for Brexit? Just contact me.