By Nick Murphy, Associate Director, GDPR Integrated Technology and Solution, 3 Lines of Defence Consulting.
All eyes are on the government right now. Parliament is up and running again – for now! A No-Deal Brexit is still looming ever larger and the clock is still ticking. The time for UK firms to take action on all things data related is now.
If Brexit is cancelled or delayed until we get a deal then there is no change to your existing plans. If we get a deal then part of that deal will focus on data privacy. Remember, on the Big Picture side whatever happens the Data Protection Act 2018 is in UK law. So on top of the items we highlight below, you will still need to ensure you have the policy, process, training and appropriate systems in place.
So what are the specific immediate actions you need to think about? If we leave without a deal on Halloween then the line is drawn and things need to be implemented, or changed, immediately!
Are you aware of what a Deal or No Deal means to your data flows? Are your customers, or data Subjects, aware of what it means? If they haven’t started asking questions yet, they surely will soon and will you be able to satisfy their requests? Lets take a look at the scenarios, and what they may require.
NO DEAL: The UK will fall into the category classification of a Third Country. As a result, when personally identifiable information (PII) is transferred from firms in EU member states to firms in the UK, the rules state that no data will be transferred outside of the EU without a pre-agreed adequacy agreement being in place. This adequacy agreement is very likely to NOT be in place by 31st October. So companies need to take action now to avoid any issues or penalties when processing PII data from EU citizens.
One measure is to use standard contractual clauses, or model clauses between data controllers in the EU and UK. The ICO states “The clauses contain contractual obligations on the data exporter and the data importer, and rights for the individuals whose personal data is transferred. Individuals can directly enforce those rights against the data importer and the data exporter.”
The ICO has published standard contractual clauses for scenarios where data will be transferred from EU data controller to non-EU data controller, these should be looked at if you don’t have one in place (see ICO links below).
However, for EU data processors transferring data to data controllers in the UK, there are no EU-approved standard contractual clauses, and any exceptions, such as those outlined in Article 49 of the GDPR deemed not for use on a regular basis, or for large numbers of data subjects.
This means that the exceptions are not suitable for business as usual, and once again, standard contractual clauses should be sought between data controllers.
DEAL: if we leave with a deal in place at the end of October, or a date in the future, then that is only the start – not the end – of what we need to consider with EU PII data. Transition period will kick in. Let’s look at two scenarios; if the UK leaves with a deal but without specifically agreeing an adequacy agreement then you will again need to look to establish SCC’s to ensure that PII data can continue to flow between you and the EU. If the UK leaves with a deal and with an adequacy agreement is granted, which is the best-case scenario, the adequacy agreement process could take as long as two to three years to be fully established!
This means that firms really need to take some steps to understand the implications and mitigate the risks these present.
There are other options to consider, outside of SCC’s, when needing to process data to/from EU countries when the UK leaves, these are:
Nominating an EU Representative – Upon exit, UK organisations may appoint a suitable representative in the EU.
No One Stop Shop – The One Stop Shop means organisations who are conducting cross-border processing within the EU, can generally deal with one single European supervisory authority, who would take action if required on behalf of other supervisory authorities.
Binding Corporate Rules (BCRs) – BCRs are operate within multinational groups and apply to the restricted transfers of personal data from the group’s EU entities, however BCRs must be approved by an EU supervisory authority in a country where one of the companies is based.
I’d strongly recommend taking another look at your data flows (as you did pre GDPR) and identify what data you have coming into the UK on EU data subjects (including staff, contractors, clients, investors, etc), who the data controller is and who the data processor is. Try and rework the flow to ensure that it is transferred from controller to controller and that standard contractual clauses are included and adhered to. Engage the experts if you are struggling to understand what PII data is, where it is coming from, where it is held and who the agreements need to concern. We, at 3LDC know your sector and we know data protection, so can help bring some clarity and relevance to the key roles, clauses and exceptions that you will encounter.
Again, don’t wait – act now, this will not go away any time soon.