Data Protection and a no deal Brexit
The Outsourced DPO has been looking at the impact of a hard Brexit for some of his clients – what a roller coaster ride that is. In her blog of 13th December, Elizabeth Denham stated that, “the Government has already made clear its intention to permit data to flow from the UK to EEA countries. But transfers of personal information from the EEA to the UK will be affected.”[ her emphasis not mine. But this is not rocket science, we are not trying to land a spaceship on the dark side of the moon here – but controllers and processors need to get on with planning for this eventuality to avoid disruption and potential regulatory action.
There are four scenarios:
- you are a controller established in the UK providing services solely in the UK and making no disclosures and sharing no personal data with other organisations outside the UK;
- you are a controller established only in the UK providing services solely in the UK and engaging processors or disclosing personal data to other controllers in the EU;
- you are a controller established only in the UK providing services to people in the EU;
- you are a processor established in the UK acting on behalf controllers or other processors who are based in the EU.
The first scenario represents a rare breed but we have some clients who fall into this category. These organisations are unaffected by Brexit in terms of data protection law. If the UK leaves the EU without a deal they are no longer required to observe the GDPR and instead must comply with the Data Protection Act 2018 (DPA2018). The Government has made clear that the General Data Protection Regulation (GDPR) will be absorbed into UK law at the point of exit, so there will be no substantive change to the rules according to the ICO’s pre-Christmas blog. So in effect nothing changes for these folks.
The second scenario represents a lot of small companies. The Outsourced DPO’s smallest client is a firm of 7 people who specialise in removing asbestos from buildings. They use Office 365 and Dropbox and by doing so have engaged data processors based in the EU and the USA. For them, nothing really changes as both the US-based processor (Dropbox) and the EU-based processor (Microsoft) have built the European Commission’s standard contractual clauses into their master services agreement which will remain valid under British law – the DPA2018. However this firm might struggle to win work in the EU because, as stated by the ICO, the transfers of personal data from the EEA to the UK will be affected and that potentially puts them at a disadvantage as compared to their European competition. Organisations in this category need to figure out what they need in place to be able to persuade
The Outsourced DPO has many customers falling into the third scenario from small businesses with European office-outposts, foreign owned businesses where our client is the UK outpost, through to multi-national businesses where either the UK is the global hub or acts as a regional headquarters with centralised services such as HR based in the UK. For these types of organisation the situation is a little more complex. To illustrate the point let’s look at one client who is an international company based in Dubai with their regional office for Europe and Russia in London. The company has offices in France, Germany, Cyprus, Spain, Romania, Turkey, Belgium and the UK. The HR department for the region is based in London and processes HR-related personal data for employees of all the European offices.
The difficulty for them is that the EEA based offices will not be permitted to transfer personal data such as employee information to the HR department in the regional office in the event of a no-deal Brexit unless there is an appropriate safeguarding mechanism in place because Britain will become a “third country” with no adequacy arrangement agreed by the European Commission and the last adequacy arrangement to be agreed took two years to put in place. The good news is that this should not be a deal-breaker because the GDPR makes provision for data transfers through the standard contractual clauses mentioned above, binding corporate rules and several other mechanisms that the European offices may rely on to continue to transfer the HR data to the UK. The difficulty will be in getting all European offices to sign the standard contractual clauses and in the experience of the Outsourced DPO it is likely to be internal politics rather than legal opinion which slow down this process. So the smart thing to do is to start this ball rolling now, otherwise data transfers to the HR department will abruptly stop on 29th March!
In the fourth scenario, the Outsourced DPO’s client is a processor providing services to EEA-based organisations. Since 25th May 2018, the GDPR requires their customers to have engaged them on contracts that comply with Article 28 which should include information about transfers of personal data to a third country or an international organisation. The likelihood is that these contracts rely on the UK being a Member State of the EU and do not contain the standard contractual clauses that they will have if the UK leaves with no deal. This may mean yet another round of supplier reviews and contract negotiations but the danger for processors is that their European customers either switch to another service provider or fail to put in place the necessary safeguards. Processors acting for EEA-based controllers need to engage with them now to find out what they need to do to ensure continuity of service.
It would be a high-risk strategy to sit still and do nothing assuming that your customers, colleagues and the data protection authorities in the EU member states will be relaxed about this. You should act now to at the very least assess the impact of a hard Brexit on your operations.
Phil Brining For “providing services” read providing services or monitoring behaviour