Brexit & GDPR: What will change?
Many people are worried about what Brexit will mean for GDPR and data compliance. The news that the leave date has now been extended to 31 October will however mean there is more time to put any necessary changes in place.
Regardless of Brexit, GDPR will most certainly still apply as the government intends to pass legislation to incorporate much of the Regulations into UK law.
If your business or organisation sends, receives or stores (i.e. on the cloud) personal data out of the UK to the EU or EEA (European Economic Area) then you will need to take additional steps post Brexit. Your business will have to comply with two data regimes, the EU’s GDPR and the UK’s GDPR, which will be governed separately by the Information Commissioner and an EU Supervisory authority. The consequences of which will require dual reporting.
Top tips for how you can prepare
1. Data flows
Establish what, if any, international flows of personal data you have and whether these transfers will become restricted transfers under UK or EU data protection law on exit date.
There will be a transition period until 2020 whilst the UK Government seeks an “adequacy” ruling from the European Commission, but until that time, the requirements of international transfers will have to be complied with.
As a consequence of your review, you may need to either update or put in place a Data Protection Impact Assessment (DPIA) in respect of international data flows.
2. Review your policies, procedures and documentation
You will need to review your procedures, and any existing contracts with third parties, to determine how to continue to transfer data lawfully after the Brexit date.
If, as a result of Brexit, your business or organisation will be making previously permitted transfers of personal data from the UK that will become restricted transfers, you should update your documentation and privacy notice in relation to international transfers, especially if you need to appoint an EU GDPR representative.
3. DPOs and Appointment of an EU GDPR Compliance Officer
If your organisation is required to have a Data Protection Officer (DPO) this requirement will continue to cover your compliance requirements for the UK. However, you will need to consider whether you will also require an EU GDPR DPO and how the two will be able to interact with each other in the most accessible manner.
To establish whether you will require an EU GDPR DPO will very much depend on the outcome of your data flow review. Following Brexit, your organisation will no longer be an EEA-based controller or processor, but there is still a requirement under the EU GDPR that you must appoint a representative within the EEA.
This representative will need to be set up in an EU or EEA state where some of the individuals whose personal data you are processing are located. You will need to authorise them (in writing) to act on your behalf regarding your EU GDPR compliance, including dealing with any supervisory authorities or data subjects.
This representative can be an individual, company or organisation established in the EEA, but they must be able to represent you in respect of your obligations under the EU GDPR.
Once appointed, you will need to ensure your privacy notice provides individuals based outside of the UK, but in the EEA/EU, with the details of your EU GDPR representative. You must also make this information easily accessible to supervisory authorities, for example by publishing it on your website.
Failure to appoint a suitable DPO will be an easy compliance check by the relevant authorities and, with risk of a fine of 2% of annual turnover, it will be prudent to take the necessary planning steps now.
If you need support to understand or meet the regulations then contact GA Solicitors. We can assist you with GDPR compliance, guidance on reporting and also employee sanctions if required, ensuring all activities are in compliance with the law.