On 13 December 2018, the Department for Digital, Culture, Media and Sport (DCMS) published a Policy Statement clarifying how a ‘no-deal’ Brexit will affect UK data protection law. On the same day, the Information Commissioner’s Office (ICO) published detailed guidance as well as a six-steps practical guide advising firms on how to prepare for a no-deal scenario. Certain UK financial services firms that manage or process personal data may need to review their data flows and update their structure, processing operations and documentation accordingly.
What will change in a no deal scenario?
After exit day and provided that there is no withdrawal agreement in place, the UK data protection regime will operate as follows:
- The General Data Protection Regulation (GDPR) will become retained EU law and will still apply in the UK, with minor changes to reflect the UK’s new position outside of the EU. This means that data controllers in the UK will still be subject to its provisions and data subjects will still benefit from its high standards of protection.
- The data protection frameworks of all Member States of the European Economic Area (EEA), EU and EEA institutions as well as Gibraltar will be transitionally recognised as adequate. However, even though this will allow free flow of data from the UK to these jurisdictions, it will not ensure free flow of data from the EEA into the UK. Unless the EU makes a formal adequacy decision with regards to the UK regime before exit day, firms will need to put in place alternative mechanisms for transferring data, including standard contractual clauses.
- The UK will transitionally preserve the effect of EU adequacy decisions with regards to third-countries, allowing firms to continue to rely on them for transferring data to the relevant jurisdictions.
- Standard contractual clauses issued by the European Commission, will remain in force in relation to international data transfers from the UK and firms will still be able to rely on them.
- Existing authorisations of Binding Corporate Rules (BCRs) of the ICO will be maintained.
- The UK data protection regime will continue to have an extraterritorial effect. This means that it will apply to data controllers or processors outside the UK, including those based in the EU, where they process data about individuals in the UK in connection with offering goods and services or monitoring their behaviour.
What should firms do?
- GDPR compliance: Financial services firms that qualify as ‘data controllers’ or ‘data processors’ should ensure that they comply with GDPR standards and follow current ICO guidance. Data Protection Officers may retain their existing roles in relation to both the UK and the EU, provided that they have expert knowledge of both UK and EU data protection law and are ‘easily accessible’ from both locations.
- Transfers into the UK: Firms need to review their data flows to identify data that is being transferred into the UK from the EEA and ensure that adequate GDPR safeguards are in place to avoid disruption, such as standard contractual clauses.
- European operations: Firms operating in the EU should review their structure, processing operations and data flows. After exit day, the EU data protection regime will apply to firms with offices, branches or other establishments in the EEA as well as firms that are solely based in the UK but offer goods or services to individuals in the EEA or monitor the behaviour of individuals in the EEA. Importantly, the latter will also need to appoint a representative in the EEA to deal with individuals and data protection authorities, who cannot be their Data Protection Officer or one of their data processors. UK firms operating in the EU should also be aware that they may no longer have a lead authority in the EEA and therefore benefit from the one-stop-shop. This means that they may have to deal with several local authorities across EEA member states, which might significantly impact their businesses and resources.
- Documentation: Privacy information and documentation, such as terms and conditions, must be reviewed and updated to remove any references to EU terminology and reflect any changes with regard to international transfers between the UK and EEA.
- Organisational awareness: Firms need to ensure that key individuals in their organisation understand data protection-related risks and that they have included the necessary steps in their Brexit contingency planning.