How Brexit outcomes will influence the way we deal with data
As the Brexit debate continues, Dods Monitoring's Connor Smart suggests that "businesses should pay close attention to their responsibilities under the relevant scenarios above and keep up to date with ICO and DCMS guidance".
Last summer, I wrote an outline summary of the main data protection issues facing the UK within the Brexit process. After that article was written, the Government published guidance in September 2018 on data protection which it has recently withdrawn and replaced with new guidance published in February. This new guidance details what will happen in either a deal or no-deal scenario.
Data protection was listed in the Prime Minister’s Mansion House speech as one of the five foundations upon which a new trading relationship with the EU should be built and it is a fundamental part of UK law through the General Data Protection Regulations (GDPR) and Data Protection Act 2018 (DPA2018).
At the time of writing, Theresa May’s Brexit deal has suffered its third defeat with a possible fourth vote taking place in the coming days. In terms of data protection, the two significant outcomes which will affect business practice will be either a deal or no-deal scenario.
Businesses are exposed to these changes in differing ways. If a business operates solely within the UK then the changes will be less onerous to accommodate. But if a business operates and sends data across borders in the European Economic Area (EEA) and from the UK then its obligations and business practices will be more thorough.
So how will the two outcomes affect data protection practices for businesses:
If Theresa May’s deal passes and the short extension is granted until May 22 the implementation period will then begin after this date. Throughout this implementation process Data Controllers will see no immediate changes to their responsibilities and obligations.
Under GDPR and the DPA2018, personal data will continue to be able to flow freely between the UK and EU. As the UK is now considered a ‘Third Country’, the EU will begin its adequacy decision process which will decide whether the UK data protection regime is considered adequately safe enough for transfers of EU citizen data from the European Economic Area (EEA) to the UK.
Once an adequacy decision has been granted, data can flow freely between the UK and EU, much as it does now. Adequacy agreement timelines vary according to the country concerned and have ranged from anywhere between a few months to up to two years. With the UK’s close data relationship with the EU though and the implementation of GDPR in 2018, an adequacy decision should in theory take less time than it does for the average third country. The ICO has also detailed how the government intends to incorporate GDPR into UK law when we leave which would only help to speed up the decision process.
According to government guidance, in a no-deal scenario, few immediate changes will occur at first. The UK government does have plans to bring GDPR into UK law in a more UK-oriented package called ‘the UK GDPR’ with the keeling schedule and planned amendments to be made available here.
Government guidance states that in recognition of the unique relationship between the UK and EU, UK businesses will be able to send personal data from the UK to the EU and other third countries deemed adequate by the EU at the point of exit. The big difference though in this scenario is that the transfer of personal data from the EEA to the UK will be based on the UK now being considered a third country with EEA-based senders subject to GDPR regulations, provisions and restricted transfers.
In this case, the European Data Protection Board (EDPB) has published an information note on transfers under GDPR and what is permissible for EEA based senders to the UK. Valid Instruments for sending personal data include:
- Standard or ad hoc Data Protection clauses
- Binding Corporate Rules
- Codes of Conduct and Certification Mechanisms
Importance of adherence
The above is a basic coverage of the two outcomes for data protection. The ICO has also published more detailed, Brexit specific guidance here. The important thing for businesses is to make sure they are on the right side of data protection law as the current fines under GDPR are punitive with the effect of negative publicity associated with data protection offences also key to consider.
As the Brexit deal stumbles along, businesses should pay close attention to their responsibilities under the relevant scenarios above and keep up to date with ICO and DCMS guidance. Ultimately, the onus is on businesses to protect personal data and the cost of not doing so far outweighs the cost of compliance.