Brexit: a data protection checklist for UK controllers
Yes. Well. Brexit. It had to come up at some point, I guess.
The UK enjoys a beneficial position, from a data protection point of view, from its membership of the EU. Once we are no longer in the EU, and assuming we do not join the EEA, we lose that benefit. (Brexit may have other implications too, such as from a supply chain point of view, but this blog post is just about data protection.)
Here's a brief checklist of the key things for UK companies to bear in mind.
If you are only processing personal data of people in the UK?
If you are only processing personal data of people in the UK, then there is no particular impact.
For the transition period — until the end of December 2020 — the GDPR continues to apply.
After that, an amended version of the GDPR — cunningly known as the "UK GDPR" — will still apply, alongside the Data Protection Act 2018. Substantively, the obligations under this revised framework as they were before Brexit.
If you are processing personal data of people in the EU?
If you are processing personal data of people in the EU, and if you are within what is called the "territorial scope" of the GDPR (i.e. you do one or more of the things which triggers direct application of the GDPR), you need to continue to comply with the (unamended) GDPR — you don't fall out of scope just because the UK has left the EU.
(Note that merely processing personal data of people in the EU does not automatically mean you are within the GDPR's territorial scope, so get your particular situation checked out.)
However, in addition to doing what you were doing (or, at least, should have been doing) already, you have some extra obligations and considerations.
Check you have a valid basis of lawfulness for each of your processing activities
For every act of processing, you must have a "lawful basis". There are multiple bases of lawfulness set out in the GDPR, and some are very EU-centric.
In particular, two of them — "necessary for compliance with a legal obligation" and "necessary for the performance of a task carried out in the public interest or in the exercise of official authority" — are linked to EU law. As such, if you want to continue to use these as your basis of processing, you will need to point to a legal obligation or requirement set out in either EU law or, if you are subject to the law of a member state, the law of that state. You cannot continue to rely on English law.
If you are currently relying on either of these because English law requires you to undertake the processing in question, or you need to do it in support of an obligation placed on you under English law, you will need to find another lawful basis for processing of data relating to people in the EU.
Appoint a representative in the EU if your processing is more than "occasional"
Update (29/01/2020): the Information Commissioner's Office has said that: "During the transition period, companies and organisations that offer goods or services to people in the EU do not need to appoint a European representative."
If your processing of personal data is more than "occasional" — likely if you have employees, or process personal data to carry out a service or in the regular course of business — then you need to appoint a representative in the EU. Data subjects can contact this person with questions about your processing, or to exercise their rights, and regulators can use them as their point of contact.
You must appoint your representative in one of the member states where the relevant data subjects are located. (e.g. if you process personal data of people in France and Germany, and nowhere else in the EU, you'd need to appoint your representative in either France or Germany.)
Your appointment must be explicitly designated by a written mandate, so make sure you've got it covered in writing, and that you've got a copy of this available in case a regulator asks.
Put "appropriate safeguards" in place if you receive data from the other controllers or processors in the EU
Once it leaves the EU, the UK will not be considered "adequate" from a data protection point of view, and so the freedom to transfer data between the EU and the UK ends. (In the fullness of time, this might change, but I am not holding my breath.)
If you receive personal data from controllers or processors subject to the GDPR (but not from data subjects directly), you will need to have in place appropriate safeguards. There are a number of options but the most likely, for most situations, will be entering into what are known as "standard contract clauses" or "model contract clauses" with the other party.
If this is the route you decide to go down, you're probably wise to update your terms, to incorporate these automatically. You might also be asked questions about your security, and how you will ensure the data you receive are protected, so be prepared to answer them.
There are some limited derogations, such as getting each relevant data subject's consent, but they are not suitable for ongoing, or repetitive, transfers.
If you transfer personal data to the US, reliant on the receiving organisation's Privacy Shield self-certification, you must check that they have updated their commitment to cover the UK. If they have not, then you'll need to find another adequacy mechanism (again, probably the model / standard contract clauses).
(You do not need to do anything to cover transfers of personal data from the UK to a country in the EEA, so just worry about personal data being transferred to you.)
Update your privacy notice
You may need to update your privacy notice, to cover:
- international transfers
- amended lawful bases
- details of the representative you have appointed.
You may have to deal with other European data protection regulators, and potentially be fined by both
If you are established in other member states, the simplest thing to say is "get advice in those countries".