Brexit and data protection: implications for your business

Rocio de la Cruz: Hi everyone I'm Rocio de la Cruz, a Principal Associate leading global data protection projects at the firm. I am sorry I cannot be with you in person but I hope you are all keeping yourselves safe

In this session we cover the impact of Brexit under the data protection compliance. And let's start by having a look at the law during and after the transition period.

So during the transition period everything remains the same, therefore the European laws will apply as it has been stated in the Withdrawal Act 2018 and you don't need to look at any changes during this transition period.

However, after the transition period we will have a new regime in the UK that mirrors GDPR and we will refer to this regime as the UK GDPR and in short it means that the GDPR rules will be part of the UK law and this is stated in the data protection EU exit regulations.

Now in addition to the UK GDPR, the GDPR might also apply because remember that the GDPR has an extra-territorial effect which means that some of you may need to consider the application of both, the European GDPR and the GDPR. And then in terms of other applicable legislation the privacy and electronic communication obligation regulations which as you know covers marketing cookies and electronic communications will still apply it is already UK law and the same happens with the new regulations that covers network and information systems and it is also UK law and it will apply as usual. However, the e-IDAS regulations, which affects service providers will no longer apply in the UK after the end of the transition period, but the European Government is taking effects to incorporate these rules into the UK law before the end of the transition period.

Coming back to the European GDPR and the GDPR, Brexit will practically not affect your data protection compliance plan if your company is based in the UK only and it only sells to UK individuals; either it does not monitor individuals or if it does it only concerns individuals who are in the UK; and also if the data processing activities are not subject to international transfers of data. So in these cases nothing changes for you, you need to look at other Brexit implications on your business but definitively not the data protection side.

So what to watch out for then, so the most important thing I think it is international transfers and this is the thing I recommend to look at, so review your international data clause within your company and identify data, in particular data coming from the EEA to the UK. I think this is relevant because after the transition period, the UK will be considered a third country for the purpose of data protection, and although the DCMS published a few days ago, on 13 March, an explanatory framework for adequacy discussions which means that the UK is still taking decisions from the European Commission. This process takes a long time and I would not count with being an adequate country by the end of this year.

So as you can see in this table, any data going to the EEA from the UK is not a restricted transfer, so that is fine and the transfers to focus on and those coming from the EEA to the UK and these are common questions we've got from many clients concerning the international transfer of data and the main one concerns data processors sending data to the UK company they work for.

So that would be when a data processor who is based in the EEA and needs to send you personal data to the UK company and the main issue is that there are no standard contractual clauses approved to cover a scenario in which the processor is the exporter and the controller is the importer and it is normally the controller the one sending data out to the processor or any other third party.

So in these cases there might be a chance for you to rely on one of the Article 49 exceptions. The clear example is to cover one of transfer of the data back to the controller when the contract with the processor terminates. However, this is a narrowed exception and it is subject to a compelling legitimate interest balancing test that you need to carry out so it is the same that when you carry out an legitimate interest test for the Article 6 legal basis but this needs to be compelling legitimate interest which needs to override the rights of the individuals.

Subject to this test also there are other requirements to rely on this exception one of them is that the ICO needs to be notified of the transfer so you need to keep records of the procedure and you have photos and the decision taken because the ICO will probably ask you for information once you know the programme of your intention of transfer of this data or to receive this data from the processor. The other option also for ongoing transfers of personal data is if none of these exceptions are suitable or convenient is to put in place their standard contractual classes.

So if the processor is not a third party you have an additional option which is putting in place binding company rules within your group within your company group, but coming back to a situation in which the processor is a third party then this other option would be putting in place controller to processor standard contractual classes. Now, in the standard contractual classes the processor is the importer and then you will need to implement the same rules with the processor being the exporter and the way to do this in our opinion is by adding commercial clauses in annex B to the standard contractual classes to cover this situation. So something very important that you need to remember and bear in mind is that that's the only amendment allowed from the standard contractual classes to be a valid mechanism to transfer data internationally.

So it is very important that when you do the amendment it is not an amendment it is an addition to this annex B and that you consider this inclusive as commercial classes for the data processor to commit themselves to follow exactly the same rules and respect the safeguards when it is transferring data back to the controller from the EEA to the UK.

Moving on to another query that has been discussed with clients during the last months is what happens to those entities who are privacy shield certified to whom we are sending data from the UK, so this is the only scenario we have discussed with clients in which UK data is going out to a third country. So and this is because the privacy shield covers data sent from the EEA but the privacy shield does not cover data sent from the UK considering that the UK is not part of the European Union any more. In these cases the privacy shield certified company who need to comply with these scheme for the data sent from the UK to the States as well. Or the other option is again to put in place standard contractual classes. So that might be a preferred option at the moment.

Interestingly, but this is in a very early stage, the ICO has published guidance on the cost of conduct and certification of schemes. So this is something that I recommend you all to check out to see whether your company would be willing to apply for one of these certification schemes when there are further developments on this area and also to have a code of conduct approved.

Coming back to what's relevant from a Brexit perspective I mentioned before that you may be subject to the UK GDPR and your GDPR as well and this may happen if the UK company you work for has branches in European locations or if it offers goods or services to individuals who are in Europe or again if it monitors individuals, while these individuals are in Europe.

So the main consequence is that the UK entity will need to appoint a representative in the European Union and to consider who their lead supervisory authority will be. Also just a little note to remind the fact that the UK Data Protection Act has also extraterritorial effect despite Brexit so there might be other European companies to whom the UK Data Protection Act applies. Coming back to our scenario in the UK being subject to the European GDPR and the UK GGDPR the main thing that clients considering now is who their representative will be.

So in terms of appointing the representative it is a written appointment and we recommend considering the locations with a greater level of decision making on the processing of personal data of your company. Not only in terms of the representative but also in terms of deciding who would be the lead supervisory authority if you have an international cross-border data breach.

Since you will be subject to the ICO and the EU regulators enforcement actions you may need to update your data protection policies accordingly as well and in particular the rules concerning breaches of data and handling of data subject complaint as well.

So to finalise, just a recap of the main steps to follow to get ready for a Brexit situation and the most important as I say is reviewing the international data flows. Check out the ICO and the European Data Protection Board guidance documents that we are having some development now which by the way we are planning to do on webinars soon in which we will provide a Also consider putting in place the inter-group agreements or standard contractual clauses with third parties and check out the codes of conducts and certification of schemes in case that is of interest and consider whether GDPR applies to your company in addition to the UK GDPR.

So this is all I wanted to cover in this session, you can see here my contact details and please feel free to drop me a line if you have any queries. I hope you found this session useful, have a lovely day, give yourself space and hopefully we'll see you soon. Thank you! Good-bye.