The leading knowledge platform for the financial technology industry
The leading knowledge platform for the financial technology industry

A-Team Insight Blogs

Deal or No Deal: Brexit or No Brexit – How Does this Affect GDPR?

By Nick Murphy, Associate Director, GDPR Integrated Technology and Solution, 3 Lines of Defence Consulting.

All eyes are on the government right now. Parliament is up and running again – for now! A No-Deal Brexit is still looming ever larger and the clock is still ticking. The time for UK firms to take action on all things data related is now.

If Brexit is cancelled or delayed until we get a deal then there is no change to your existing plans. If we get a deal then part of that deal will focus on data privacy.  Remember, on the Big Picture side whatever happens the Data Protection Act 2018 is in UK law. So on top of the items we highlight below, you will still need to ensure you have the policy, process, training and appropriate systems in place.

So what are the specific immediate actions you need to think about?  If we leave without a deal on Halloween then the line is drawn and things need to be implemented, or changed, immediately!

Are you aware of what a Deal or No Deal means to your data flows? Are your customers, or data Subjects, aware of what it means? If they haven’t started asking questions yet, they surely will soon and will you be able to satisfy their requests? Lets take a look at the scenarios, and what they may require.

NO DEAL: The UK will fall into the category classification of a Third Country. As a result, when personally identifiable information (PII) is transferred from firms in EU member states to firms in the UK, the rules state that no data will be transferred outside of the EU without a pre-agreed adequacy agreement being in place. This adequacy agreement is very likely to NOT be in place by 31st October.  So companies need to take action now to avoid any issues or penalties when processing PII data from EU citizens.

One measure is to use standard contractual clauses, or model clauses between data controllers in the EU and UK. The ICO states “The clauses contain contractual obligations on the data exporter and the data importer, and rights for the individuals whose personal data is transferred. Individuals can directly enforce those rights against the data importer and the data exporter.”

The ICO has published standard contractual clauses for scenarios where data will be transferred from EU data controller to non-EU data controller, these should be looked at if you don’t have one in place (see ICO links below).

However, for EU data processors transferring data to data controllers in the UK, there are no EU-approved standard contractual clauses, and any exceptions, such as those outlined in Article 49 of the GDPR deemed not for use on a regular basis, or for large numbers of data subjects.

This means that the exceptions are not suitable for business as usual, and once again, standard contractual clauses should be sought between data controllers.

DEAL: if we leave with a deal in place at the end of October, or a date in the future, then that is only the start – not the end – of what we need to consider with EU PII data. Transition period will kick in. Let’s look at two scenarios; if the UK leaves with a deal but without specifically agreeing an adequacy agreement then you will again need to look to establish SCC’s to ensure that PII data can continue to flow between you and the EU. If the UK leaves with a deal and with an adequacy agreement is granted, which is the best-case scenario, the adequacy agreement process could take as long as two to three years to be fully established!

This means that firms really need to take some steps to understand the implications and mitigate the risks these present.

There are other options to consider, outside of SCC’s, when needing to process data to/from EU countries when the UK leaves, these are:

Nominating an EU Representative – Upon exit, UK organisations may appoint a suitable representative in the EU.

No One Stop Shop – The One Stop Shop means organisations who are conducting cross-border processing within the EU, can generally deal with one single European supervisory authority, who would take action if required on behalf of other supervisory authorities.

Binding Corporate Rules (BCRs) – BCRs are operate within multinational groups and apply to the restricted transfers of personal data from the group’s EU entities, however BCRs must be approved by an EU supervisory authority in a country where one of the companies is based.

I’d strongly recommend taking another look at your data flows (as you did pre GDPR) and identify what data you have coming into the UK on EU data subjects (including staff, contractors, clients, investors, etc), who the data controller is and who the data processor is. Try and rework the flow to ensure that it is transferred from controller to controller and that standard contractual clauses are included and adhered to. Engage the experts if you are struggling to understand what PII data is, where it is coming from, where it is held and who the agreements need to concern. We, at 3LDC know your sector and we know data protection, so can help bring some clarity and relevance to the key roles, clauses and exceptions that you will encounter.

Again, don’t wait – act now, this will not go away any time soon.

Related content


Recorded Webinar: Developing operational resilience

Financial institutions’ operational resilience – essentially the ability to prevent, adapt and respond to, and recover and learn from operational disruptions – has come under extreme pressure during the coronavirus pandemic, with last year’s March lockdown creating unprecedented circumstances for financial firms. Employees working from home raised the stakes, as they still do, adding to...


RegTech Summit Goes Global as A-Team Launches Singapore Event in November

It’s official. Due to popular demand, A-Team Group is expanding its highly successful RegTech Summit conference series with an event in Singapore in the autumn. With lead sponsorship from Solidatus confirmed, A-Team is now formulating the agenda, recruiting speakers and discussing participation opportunities with sponsors and exhibitors. A-Team’s RegTech Summit APAC will take place on...


RegTech Summit APAC Virtual

RegTech Summit APAC will explore the current regulatory environment in Asia Pacific, the impact of COVID on the RegTech industry and the extent to which the pandemic has acted a catalyst for RegTech adoption in financial markets.


Alternative Trading Systems Directory 2010

The year since we launched our first edition of the A-Team Alternative Trading Directory has passed by in a flash (no pun intended). And while the rate of expansion of the alternative trading system sector may have slowed – even consolidated somewhat – in the more established centres, their onward march continues both in terms of credibility, and of uptake...