Dealing with data in the event of a no-deal Brexit

The UK’s data protection regime is currently governed by the EU’s General Data Protection Regulations (GDPR) and the UK’s Data Protection Act 2018 (DPA 2018). If your organisation receives personal data from the EEA you will still need to abide by both GDPR and the DPA 2018 even after Brexit.

Assessing data adequacy
As the UK is currently a member of the EU, there are no restrictions on the flow of personal data and other EEA Member States. Article 45 of the GDPR states that the European Commission needs to assess the relevant country’s laws to determine whether they are essentially equivalent or “adequate” to that of EU ones.

The UK has announced that it will allow the flow of personal data to the EEA regardless of a deal being in place and will recognise existing European Commission data adequacy decisions. However, the EU has not yet made a similar commitment towards the UK. This is because on leaving the EU, the UK will become a ‘third country’. And while the UK remains an EU member, the European Commission will not conduct this assessment. Unfortunately, this means if we leave the EU without a deal we will not have a data adequacy decision in place to facilitate the free flow of personal data from the EEA.

Standard Contractual Clauses
In the absence of an adequacy decision, GDPR states that personal data can be transferred to a third country or an international organisation if there are appropriate safeguards. There are a number of recognized safeguards, but most appropriate to businesses are the implementation of Standard Contractual Clauses (SCCs).

SCCs are a standard set of contractual terms and conditions for the transfer of personal data which both the data exporter and the data importer enter into. They include contractual obligations that help to protect personal data when it leaves the EEA and ensure compliance with GDPR. SCCs only relate to the transfer of personal data, so they can be incorporated into a wider contract that covers other business terms. One of the key benefits of using these SCCs is that they are approved by the European Commission.

Binding corporate rules
If you are a multinational operating in the UK and in one or more EEA country, then Binding Corporate Rules are required to transfer personal data between the different parts of the Group located in the UK and the EEA.

US Privacy Shield
If you send data to a US Privacy Shield organisation, the Privacy Shield participant will need to update their public commitment to specifically reference the UK, in addition to the EU. There is further information on the US government’s Privacy Shield website. In addition, the ICO has published guidance for organisations about international data transfers.

Data Protection Lead Authority
If the ICO is your lead Data Protection Authority, you may need to review your operations to assess whether you can still have a lead authority and benefit from the one-stop-shop following Brexit.

Appointing a data representative.
If you are a data controller or processor that is subject to GDPR but not established in the EEA – as will be the case when the UK leaves the EU – you have an obligation to designate a data representative based in the EEA. This representative will be the go-to person to deal with individuals and DPAs in the EEA. The UK plans to oblige non-UK controllers who are subject to the UK data protection framework to appoint representatives in the UK if they are processing UK data on a large scale.

It’s important to regularly check the GOV.UK website for updates. The ICO has a page dedicated to Brexit that covers the implications for data protection and data transfers in more detail and its SCC tool provides template contracts. If you need more information about your obligations and what you need to do to comply, we recommend seeking legal advice.

For more information on matters relating to Brexit, visit the Advertising Association website: https://www.adassoc.org.uk/policy-areas-category/brexit/