The UK left the EU on December 31, 2020, revealing an important question: How will organizations transfer personal data to and from EU Member States?
The government is currently hoping for an adequacy decision, which would mean that, if approved, organizations could continue virtually undisturbed. However, it would always be an uphill battle to get the decision from the European Commission by December 31, with the process typically taking two years or more.
Things then also got complicated with the invalidation of the EU-US Privacy Shield and the possibility of a no-deal Brexit. This means it looks like major changes are on the way, and the Information Commissioners Office (ICO) is advising organizations to act now.
Organizations are given a year to get into compliance after New Year’s Eve – and these are the three things to tackle in a post-Brexit world.
Have a legal basis for data transfers
Pre-Brexit, personal data could be freely transferred between the EU and the UK, but when the transition period ended on December 31, organizations had to lay a new legal basis. If we assume that an adequacy decision has not been made in time, organizations will need to use Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).
SCCs are legal contracts that set out the terms of data transfers and are intended for easy internal transfer of personal data and for organizations participating in two-way data sharing. When using SCCs, both organizations and regulators must conduct a case-by-case analysis to determine whether the protection of government access to data complies with EU standards.
BCRs apply strictly to multinational companies and assist them in carrying out intra-organizational transfers of personal data within the EU.
Appoint an EU representative if you need one
An EU representative is someone based in the EU who works on behalf of an organization in a third country, which is what the UK will become if we don’t make an adequacy decision.
The General Data Protection Regulation (GDPR) states in Article 28 that, with the exception of public authorities, controllers who are not established in a Member State – and who regularly process personal data of EU residents – must appoint an EU representative.
For UK organizations, this mainly involves serving as a point of contact between the organization, the data subject and the supervisory authorities.
The EU representative does this by:
- Record keeping of the organization’s data processing activities.
- Respond to any questions from supervisory authorities or data subjects regarding data processing.
- Make data processing records accessible to the ICO.
These sound like tasks similar to those of a Data Protection Officer (DPO), but it is very important not to confuse the two roles. A DPO is an independent expert who helps facilitate and assess the organization’s compliance practices – an EU representative represents non-EU-based organizations when it comes to their GDPR requirements. Companies such as GRCI Law can also act as an organization’s EU representative – assuming all personal data processing activities and GDPR compliance requirements as needed.
Identify your lead supervisory authority
The lead supervisory authority (CSR) of an organization is the government agency responsible for data protection compliance (this is the ICO in the UK). However, as of December 31, the ICO will no longer be a supervisory authority under the GDPR, so UK-based organizations will have to find an alternative – meaning identifying the EU data protection authority that is most suitable for your business. This usually consists of recognizing which country is responsible for the lion’s share of your business activities and identifying its supervisory authority. For example, if you mainly process personal data of Spanish residents, your LSA must be the Spanish Data Protection Authority.
Once you’ve identified your LSA, find out if your organization needs to take specific actions – for example, you may be required to register with the LSA and pay a fee. In addition, you should also consider any differences between how your organization and its new LSA approach GDPR compliance, and then adjust your practices as needed. For example, the regulation gives supervisors the option to adjust the age at which someone is no longer a minor – and to interpret the rules as they see fit.
Apparently there are a number of changes that organizations will have to make when it comes to handling personal data after Brexit. Some of these changes are obvious, but there is much more to do than meets the eye – these three requirements alone generate about 150 smaller tasks for organizations to complete. A really useful tool for keeping everything on track is IT Governance Ltd.’s free Brexit checklist, which outlines the steps organizations should take from January 1, 2021. It contains guidelines for appointing an EU representative, enabling a leading supervisory authority in the EU is identified. , updating contracts related to data transfers between the EU and the UK to include standard contractual clauses, and updating policies, procedures and documentation in light of those changes.
- Camilla Winlo, Director of Consultancy at DQM GRC.