Ensure your data transfer is permissible
UK data protection standards are currently defined by the EU General Data Protection Regulation (GDPR) and are complemented by the Data Protection Act 2018. These provide for a detailed and comprehensive approach to data protection within the UK.
Brexit will not affect the requirement for UK organisations to maintain these standards. The Data Protection Act will remain in place and the EU Withdrawal Act will incorporate GDPR into UK Law, thus maintaining the overall data protection standards for the UK.
Post Brexit, UK organisations will still be able to send personal identifiable date to the EU as the data will be going to what is effectively a ‘safe state’ bound by the GDPR. The challenge will be for those EU organisations who wish to send personal identifiable information to the UK. Without an EU-approved agreement around UK data protection standards, those countries would effectively be sending data to a ‘non-safe’ jurisdiction.
Discussions around around an agreement between the UK and EU on data protection have begun. In the July 2018 white paper, the UK government sets out its goals around a UK-EU agreement on data protection, and the government has been clear that it is ready to discuss an adequacy arrangement at the earliest opportunity. However, there is no current agreed timeline for this process. If no agreement around data protection has been agreed at the point of Brexit, organisations will need to have mitigating procedures in place to allow personal data to be transferred from the EU to the UK after Brexit Day.
Data transfer: required safeguards
For UK organisations that receive personal identifiable information from the EEA, now is the time to start discussing those transfers and the various safeguards and mechanisms that may need to be implemented to make them permissible. It is worth remembering that these safeguards are required for both inter-company data transfers and those outside of the organisation.
A number of available safeguards exist however the two most likely to be appropriate are binding corporate rules and standard contractual clauses:
- Binding corporate rules - A transfer can be made if both parties have signed up to binding corporate rules. Binding corporate rules are an internal code of conduct applicable within a multinational group, which applies to restricted transfers of personal data from the group's EEEA entities to non-EEA group entities.
Binding corporate rules must be submitted for approval to an EEA supervisory authority, usually where the EEA head office is located (but does not need to be). One or two other supervisory authorities will be involved in the review and approval of the proposed rules.
- Standard contractual clauses (‘model clauses’) – a transfer becomes permissible if both parties have entered into a contract incorporating standard data protection clauses, known as ‘standard contractual’ or ‘model’ clauses. There are four sets adopted by the EU Commission and must be entered into by the data exporter (based in the EEA) and the data importer (outside the EEA).
The clauses contain contractual obligations on the data exporter and the data importer around data protection and preserve the rights for the individuals whose personal data is transferred.
Other options for safeguards exist however the circumstances around which they may be appropriate can be particular. The full list of options is available on the Information Commissioner’s Office website.
In our experience implementing these measures can take some time so reviewing options and initiating the right conversations should be seen as a priority.
Going forward, the conversations around data protection in relation to Brexit and beyond are likely to continually evolve so remaining close your advisors and updates from the Information Commissioner will be key to ensuring you adopt the right processes and remain aligned to both regulator and expectations of key stakeholders around data privacy.