Privacy regulations for countries operating in the EU can quickly become complex. This article is the second part in a series that will examine how your business can prepare for these changes, for more information - read part one.
In a year that saw more breaking news than any year should, the end of the Brexit transition period might have fallen off the radar for many organizations. It seems like an eternity ago when the United Kingdom (UK) voted to formally leave the European Union (EU); for those that have been focused on other issues, let’s remember that after four years of negotiations the UK left the EU on Jan. 31, 2020, with a transition period that ended on Dec. 31, 2020. Among of a host of issues arising from the UK’s departure from the Union were questions regarding cross-border transfers of personal data under the General Data Protection Regulation (GDPR). Under the Withdrawal Agreement, the UK would become a ‘third country’ after the transition period ended unless an adequacy decision was reached. To the relief of many organizations, a temporary reprieve in the form of the Trade and Cooperation Agreement passed shortly before the deadline.
The EU-UK Trade and Cooperation Agreement (TCA), agreed to only several days prior to the transition period ending, allows for a period of no more than six months for the European Commission (EC) to issue an adequacy decision regarding the UK. During that period, or until adequacy is granted or denied, the UK will benefit from temporary adequacy.
Recognizing what this means and why it’s significant
All members of the European Economic Areas (EEA)/EU are required to accept the GDPR as their baseline for data privacy in their respective countries. This requirement harmonized the data protection laws throughout the EU and allows the free flow of personal data to and from all member states. All personal data transferred out of the EU/EEA to a third country must utilize a valid transfer mechanism otherwise the transfer is deemed illegal. Those transfer mechanisms include:
- An adequacy decision from the European Commission (EC)
- Appropriate safeguards (including standard contractual clauses (SCCs)
- Binding corporate rules (BCR’s)
- Derogations for specific situations (set forth in Article 49 of the GDPR)
An adequacy decision means that the EC has deemed a non-EU country has protections in place to ensure essentially equivalence protections as those afforded by the GDPR. With Brexit, the UK is no longer a member of the EU and therefore personal data transfers from the EU to the UK must rely upon one of the mechanisms mentioned earlier.
What does this mean for future data transfers?
As of Jan. 1, 2021, the UK has entered into force the UK GDPR, which for all intents and purposes is a carbon copy of the EU GDPR. Seemingly, the EC should have no issues granting adequacy to the UK, after all, they are both bound by virtually the same data privacy law.
Here is where things get interesting. While the EC appears tolerant of governmental surveillance within the members states, they are not keen on governmental surveillance outside of the EU (remember the Schrems II case? It now applies to the UK because it is officially a third country). The temporary extension afforded by the TCA gives the EC up to six months (if there are not further extensions) to determine UK’s data protection adequacy, including an evaluation of their laws and practices as they relate to government surveillance. Such a short timeline suggests that the EC may be close to reaching a decision, but there is no guarantee. In fact, the UK’s Information Commissioners Office (ICO) has recommended that UK and EEA organizations work together during the transition period to put in place alternative transfer mechanisms as a “sensible precaution“. In other words “hope for the best, and plan for the worst”.
Adequacy may be the headline, but sub-stories are necessary still
Whether or not the UK will ultimately be granted adequacy may be the headline, there are some sub stories that need to be addressed. As mentioned, the UK GDPR is in force and will recognize the EU (EU/EEA member states) as well as those countries granted adequacy by the EC as adequate – therefore leaving UK personal data exports to these recipients somewhat unaffected. As for data imports to the UK, some countries will follow the EC adequacy decisions, such as the Isle of Man, and others like Jersey, make their own decisions regarding adequacy and agreements relating to these transfers will need to be monitored over the coming months. In addition, for those organizations that have relied heavily on the ICO for everything GDPR, they may have to identify a new lead supervisory authority (LSA) within the EU. While this might not seem significant to some, the ICO has been an incredible resource for many organizations dealing with GDPR compliance, from providing templates and guidance to distilling the GDPR down into consumable nuggets for organizations that do not have access to privacy expertise. While the ICO will still serve as the data protection authority for the UK, and hopefully as a resource for privacy leading practices, it will be sorely missed as an EU LSA.
Begin preparing your organization with these steps
Regardless of the outcome related to the UK’s adequacy, there are steps that organizations should take now to prepare. If your organization deals with personal data from UK or EU citizens, residents or organizations, consider the following:
- Review your data flows: Make sure you know where your data comes from and where it goes, specifically with regard to personal data that originates from either the EU or the UK.
- Update your records of processing documentation (RoPA): An organization’s RoPA should capture all the details of your personal data processing activities including what the processing activity is, what data is processed, where the data comes from, where it goes to, what the transfer mechanism is, etc. Ensure this documentation is correct, up to date and meets the requirements of both the EU GDPR and the UK GDPR (as appropriate).
- Designate a lead supervisory authority (LSA): If you previously designated the ICO as your LSA, and you process EU personal data, you may need to designate a LSA in the EU.
- Appoint a data protection officer (DPO): While there should not be a requirement to appoint separate DPOs (one in the UK and one in the EU), organization’s do need to evaluate the requirements of both laws to make sure they are meeting both requirements (if applicable).
- Appoint an EU/UK representative: With Brexit, your UK based representative may not fulfill your EU representation needs under the EU GDPR. However, simply moving your UK-based representative to the EU may cause problems with UK GDPR compliance. Perform an evaluation of your processing activities to determine where you are required to establish representation.
- Update your incident response plan: As mentioned earlier, the ICO is no longer an LSA, so if your incident response plan called for notifying the ICO in the event of an EU personal data incident, the plan will need to be updated. In addition, if an incident impacts individuals of both the UK and an EU member state(s), you may be required to notify both the UK and the EU separately.
- Update privacy policies and notices: Externally facing policies, such as your website privacy policy, provide a convenient mechanism for evaluating an organizations compliance with the various privacy regulations. If your organization is subject to the UK GDPR your policy needs to reflect this.
- Update your data processing agreements/contracts: While this needs to be done, it is important to remember that we are awaiting approval of new standard contractual clauses (SCCs) , which will hopefully be available soon. Perform an evaluation to determine if it is more important to get contracts/data processing agreements signed now (only to have to replace them in the coming weeks or months) or to focus efforts on other areas, such as evaluating the need for additional safeguards, and wait for the release of the updated SCCs. 2020 was a year that saw many data privacy issues from Brexit, to the Schrems II decision and the invalidation of Privacy Shield, to California’s Consumer Privacy Rights Act (CPRA), to the increased use of facial recognition, and massive collection and use of tracking information for contact tracing to help control the spread of COVID-19. As more individuals become interested in how their personal data is being captured and used, and more organizations are held accountable for their data processing practices – there is little doubt that data privacy will continue to be an important topic. In 2021 and beyond, we are hopeful that organizations and governments continue down the path to ensure personal data is used fairly, lawfully and transparently.
For more information on this topic, or to learn how Baker Tilly specialists can help, contact our team.