Reddy Charlton Solicitors, which advises on data protection matters, has issued a briefing note on the impact of Brexit on data protection.
Brexit will have a huge impact on businesses that transfer data to and from the Britain. During the transition period, EU law will still apply and, therefore, GDPR remains in force.
While it is likely that GDPR will be incorporated into British domestic law after the transition period, sitting alongside the UK’s Data Protection Act 2018, this is not guaranteed.
At the end of the transition period (likely year-end 2020), the default position, in the absence of an agreement, is that Britain will leave on World Trade Organisation terms.
In those circumstances, the relationship between the EU and Britain with respect to data will be altered, and a determination will be required to as to how data will be dealt with between the entities.
There are three current data relationship options:
- Adequacy decision: the European Commission (EC) has the power to determine whether a country outside the EEA offers an adequate level of data protection. Britain’s intention to fully incorporate GDPR into its domestic law may assist in this regard, Reddy Charlton notes, though a decision may take some time.
- If the UK does not receive this adequacy status, it will be deemed a ‘third country’, meaning any flow of personal data will be under an alternative transfer mechanism, such as, binding corporate rules (BCR) or model contract clauses.
- BCR are internal rules for data transfers within multinational companies in countries that do not provide an adequate level of protection. This requires a lengthy approval process from relevant data-protection authorities.
- The European Commission can decide that standard contractual clauses (SCC) offer sufficient safeguards for personal data to be transferred internationally. However, there is both an administrative and financial burden to this solution.
Reddy Charlton advises businesses to maintain up-to-date records on data processing, and to complete a list of all data-flows to and from Britain.
Fully identified data-flows will allow planning for subsequent contract and data-protection notice updates and amendments.
All data-protection notices should be reviewed and amended, where necessary, the law firm says, and a communication plan drawn up for updating them.
Due-diligence procedures to allow for data processors situated in Britain should also be updated.
Data-processing contracts should be updated to ensure appropriate clauses are in place, such as model contract clauses.
BCRs should be considered for the transfer of personal data to group entities based in Britain.
Assess what transfer mechanisms are currently in place to protect personal data, and any additional security measures necessary.
Businesses should also consider whether to implement ‘privacy-by-design’