The UK left the EU on 31st of December 2020 and it brought to light one key question: how organizations will transfer personal data to and from EU member states?
The government is currently hoping for an adequacy decision, which would mean organizations could continue with almost no disruption, if approved. However, it was always going to be an uphill battle to get the European Commission’s decision by 31 December, with the process typically taking two years or more.
Things were also then complicated with the invalidation of the EU–US Privacy Shield and the possibility of a no-deal Brexit. This means it looks as though major changes are on the way, and the Information Commissioners Office (ICO) is advising organizations to act now.
Organizations are being given a year to get into compliance shape post New Year’s Eve – and these are the three things you need to address in a post-Brexit world.
Have a lawful basis for data transfers
Pre-Brexit, personal data could be freely transferred between the EU and the UK, but when the transition period ended on the 31st December organizations needed to establish a new lawful basis. If we assume that an adequacy decision hasn’t been reached in time - organizations will need to use standard contractual clauses (SCCs) or Binding Corporate Rules (BCRs).
SCCs are legal contracts that outline the terms and conditions for data transfers, and are intended for straightforward internal personal data transfers and for organizations that partake in two-way data sharing. When using SCCs, both organizations and regulators need to conduct a case-by-case analysis to determine whether protections concerning government access to data meets EU standards.
BCRs strictly apply to multinationals, and help them make intra-organizational transfers of personal data across the EU.
Appoint an EU representative if you need one
An EU representative is someone based in the EU who works on behalf of an organization in a third country, which is what the UK will become should we not reach an Adequacy Decision.
The General Data Protection Regulation (GDPR) states in Article 28 that, with the exemption of public bodies, data controllers which aren’t based in a member state - and that regularly process EU residents’ personal data - must establish an EU representative.
For UK organizations, this will mainly encompass serving as the point of contact between the organization, the data subject and the supervisory authorities.
The EU representative will do this by:
- Maintaining records of the organization’s data processing activities.
- Responding to any queries the supervisory authorities or data subjects have concerning data processing.
- Making data processing records accessible to the ICO.
These do sound like tasks similar to a Data Protection Officer (DPO), but it’s very important not to confuse the two roles. A DPO is an independent expert who helps facilitate and assess the organization’s compliance practices - an EU representative represents non-EU based organizations when it comes to their GDPR requirements. Companies such as GRCI Law can also act as an organization’s EU representative – and take on all the personal data processing activities and GDPR compliance requirements as needed.
Identify your lead supervisory authority
An organization’s lead supervisory authority (LSA) is the public body responsible for data protection compliance (this is the ICO in the UK). However, from the 31st December, the ICO will no longer be a supervisory authority under the GDPR, so UK-based organizations will need to find an alternative – which means identifying the EU data protection body that is the most appropriate for your business. This typically consists of recognizing which country takes the lion’s share of your business activities and identifying its supervisory authority. So, for example, if you mostly process Spanish residents’ personal data, your LSA should be the Spanish Data Protection Authority.
Once you’ve identified your LSA, you will need to find out whether it requires your organization to carry out any specific actions – it may be obligatory to register with the LSA and pay a fee, for example. Additionally, you should also review any differences between how your organization and its new LSA approaches GDPR compliance, and then adjust your practices as required. For example, the Regulation gives supervisory authorities the option to adjust the age at which someone is no longer a minor - and to interpret its rules however it sees fit.
Evidently, there are a number of changes organizations need to make when it comes to dealing with personal data post-Brexit. Some of these changes are obvious, but there’s a lot more to do than first appears – these three requirements alone generate around 150 smaller tasks that organizations will need to complete. A really useful tool to help keep everything on track is IT Governance Ltd.’s free Brexit checklist, which outlines the steps organizations must take from 1 January 2021. It includes guidance on appointing an EU representative, identifying a lead supervisory authority in the EU, updating contracts governing EU-UK data transfers to incorporate standard contractual clauses, and updating policies, procedures and documentation in light of those changes.
- Camilla Winlo, Director of Consultancy at DQM GRC.
- We've featured the best cloud storage.