Background
Irrespective of whether a trade agreement is reached with the EU or not, Directors of all businesses and organisations that process personal data of clients, staff, partners must understand a new risk to their operation.
If you have any suppliers, clients or use systems you use that are based in EU countries, your organisation has to take stock. Your teams will need to review your supply chain, updating your GDPR ‘Data Map’ and make changes to existing agreements where they are found to be in breach of the law. In addition, you might have to appoint what are called EU representatives.
It’s important to understand that European organisations will, because of BREXIT, have to more critically scrutinise their supply chain and therefore there is now a higher risk that your organisation will be asked to provide evidence of your GDPR compliance. Are you in a position you could do this on request? You might want to ignore these changes but your EU partners may not!
Dec 14th 2020 update
After 1st January 2021, the transfer of personal data into a territory not covered by the EU-GDPR (i.e. EEA nation TO the UK) and will be classed as a restricted transfer, so will need to rely on one of three cross border transfer mechanisms:
1. An adequacy agreement.
This is highly unlikely to be granted to the UK before 1st January 2021, for many reasons, irrespective of a Brexit and or trade deal being finalised.
An adequacy decision means the European Commission has formally accepted that the country processing the personal data does so in a satisfactory manner and in line with the EU-GDPR.
If there is an adequacy decision, you can transfer personal data without having to put additional safeguards in place – as summarised below.
2. An appropriate safeguard; such as a Standard Contractual Clause (SCC) being inserted into an existing or a Binding Corporate Rule (BCR).
SCC’s are being currently being reviewed and the European Data Protection Board (EDPB) will be publishing their opinions mid-December. The ICO have advised companies should continue using the current versions of them and adjust as appropriate following the consultation. These are Controller to Controller and Controller to Processor agreements that have been around since before the GDPR i.e. DPD days!)
• It is highly likely the ICO will implement the new EDPB SCC’s word for word to maintain consistency as broadly as possible.
Typically, only larger corporate organisations embark on implementing, what can be time consuming and expensive BCR’s.
3. An derogation; exemption rule – only in very specific cases and EDPB guidance must be referred to. I can’t think of many instances where you’ll want to go down this road or be able to rely on this.
Sending personal data from the UK to the EEA:
· After the end of the transition period (1st January 2021), transfers of personal data from the UK to the EEA will be permitted as adequate as the UK has recognised the EEA as such. Data is being transferred into an area that is subject to the GDPR which is a known acceptable standard. There is no change here.
Receiving personal data from the EEA:
· This is classed as a restricted transfer. It will be the responsibility of the EEA entity in their country sending the data to the UK entity to ensure that they comply with the GDPR and ensure the appropriate mechanisms are in place to cover the cross border transfer process. Companies are likely to request and implement appropriate safeguards in the form of SCC’s and that these are inserted into existing contracts. The entity are likely to undertake additional Transfer Impact Assessment and essential equivalence assessment of the data Protection regime in the UK as part of their considerations and this later part could have impacts on getting data back as it may effectively mean that the reliance on SCC’s are not enough.
Sending data from the UK to a Non-EEA country & where the EU (and UK as part of it) have an existing adequacy decision in place:
· No restrictions as these transfers, as adequacy is in place as the UK has recognised the EU adequacy decisions as valid.
· Countries are: Andorra, Argentina, Canada (commercial only), Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Uruguay, Japan.
Receiving data into the UK from a Non-EEA country:
• This is down to the sender to determine their compliance with the GDPR. They may make additional demands on the UK-based company to ensure they comply.
EU Representative.
An EU Representative is required when the company in the UK offers goods and services to EEA individuals (or monitors their behaviour) AND you do not have an operational branch, office or establishment in the EEA in which a DPO is already present or can be implemented.
This EU Representative will need to act on behalf of the business regarding any GDPR compliance matters and to deal with the any Supervisory Authorities or data subjects in their jurisdiction. This individual will need to work alongside your, data protection lead (DPO or otherwise).
Breaches, Incidents and Complaints
In the event of a data breach, or a data subject complaint involving individuals in the EEA, then this will be handled by the EU Representative working with your GDPR lead and any actions will need to satisfy the demands of the Supervisory Authority for that individuals’ national territory e.g. If they are Polish or Germany, the demands of the Supervisory Authority for Poland or Germany will need to be considered.
In the event of a breach or complaint that arises, you will need to liaise and interact with our own UK ICO and potentially multiple Supervisory Authorities (could be one or all of the Supervisory Authorities depending on the Data Subjects national supervisory authority that they have complained to as is investigating us)
The issue here is down to the fact that the UK no longer is part of the EDPB and the One Stop Shop mechanism of having the ICO as the lead authority for UK businesses will not exist.
Copyright B D Research Ltd. 2020 BDR-WS067