By Andrew Dyson (Partner) and JP Buckley (Legal Director).
After the UK’s decision to leave the European Union in a so-called Brexit referendum we set out how organisations should approach data protection compliance, which has been historically regulated from an EC level and which will be subject to significant impact whether the UK leaves the EU or not in the medium term.
1. Impact on GDPR compliance
Earlier this year the EC published the General Data Protection Regulation (GDPR). The GDPR has direct legal effect across all EC Member States (including the UK) in May 2018, replacing at that point all current data protection legislation, including the UK’s Data Protection Act 1998.
A key question for many organisations is whether Brexit means data controllers and processors established in the UK still need to prepare for the GDPR and the significant reforms that legislation anticipates to the way personal data are collected, used and shared.
Our view is that Brexit should have little, if any, impact on GDPR compliance planning.
The GDPR will be effective in the UK from 25 May 2018 – a date which will precede any ‘best case’ timetable for the UK exiting the EU under Article 50. There is no reason to be believe GDPR will be disapplied before then.
Whilst the strict legal position is that an exit from the EU will lead to the GDPR ceasing to have legal effect in the UK, it seems almost certain that the UK Government will implement equivalent legislation, effectively replicating the GDPR into UK law as part of any Brexit transition process. A robust privacy law will be critical to supporting the continued growth of the UK digital economy and access to the European digital marketplace.
The Information Commissioner’s Office (ICO), which acts as the UK data privacy regulator, has already indicated this position, noting that it will be lobbying Government for changes to the existing Data Protection Act to reflect the GDPR. It is not yet clear however what legal form these changes would take.
Action: Organisations processing data within the UK should still prepare for the GDPR, and should start their planning now if they haven’t already done so. The changes anticipated by GDPR are wide-ranging and require a cross-organisational compliance framework that will take time to assess and implement effectively.
Risk: UK companies which delay taking steps to prepare for the GDPR (or any UK equivalent) risk losing competitive advantage once the new regime comes into force due to the likely constraints that will be imposed on consumer marketing, data analytics and data sharing activity, and related exposure to potential fines given a new and more assertive enforcement model.
2. Impact on data transfers
As a result of the UK’s decision to leave the EU, the UK will need to establish itself as a ‘safe haven’ country which can support the continuing free flow of EU originating data into systems and services operated from here. There are four likely models for achieving this:
(a) the UK remains as part of the EEA;
(b) the UK is added to the approved “white list” of countries for which there has been a European Commission decision of adequacy;
(c) the UK negotiates a separate arrangement with the EU to support the lawful transfer of data, akin to the EU-US Privacy Shield; or
(d) UK companies are left to rely on data transfer agreements based on the EU Model Clauses.
The mechanics of securing Brexit and any resulting alliances and associations are as yet unclear, so whether the UK can secure any of options (a), (b) or (c) is not yet obvious. It seems very likely that the UK will join the European Free Trade Association (and then remain in the EEA) but failing that the ICO’s clear view is that the UK should adopt privacy standards in UK law which are equivalent to the GDPR to support an adequacy decision per option (b). Options (c) and (d) are likely to be less practically acceptable as a new round of negotiations to establish a mechanism like the EU-US Privacy Shield (which has not yet been agreed, but is close according to some reports) would be time-consuming, and option (d) requires a range of data transfer agreements to be put in place which may discourage data flows to the UK.
Action: Monitor how the mechanics of the Brexit process impact the continued processing of EU originating data to determine which of the options above is the most practical.
Risk: If there are few practical transfer options available or the ones which are available are time-consuming or administratively complex then it is possible that organisations from outside the EU may decide to move their data from the UK to another EU country.
3. Impact on contracts
Many organisations are starting to develop GDPR-ready versions of standard data processor and data sharing provisions. What then does Brexit mean for these contracting arrangements?
Our view is that the requirements of the GDPR represent baseline standards for good data management and should continue to be applied as a standard for effective supplier management.
Care should be taken to impact into contracts under negotiation now either a full representation of all of the GDPR’s requirements (our preference) or at the very least a timed action point to meet and discuss the GDPR’s (or its equivalent’s) impact on the contractual relationship, the wording of the contract and the operational practices between the parties.
When drafting the applicable law clauses or definitions ensure that you provide for the flexibility required by the contractual relationship in question – so this is likely to include the Data Protection Act, local laws around Europe and the world as applicable, the GDPR and any equivalent legislation applied in the UK.
Action: When updating contracts to be GDPR-ready, ensure the approach taken anticipates a different potential legal position across different EU jurisdictions and supports potential changes in the law in the near term.
Risk: Failing to reflect GDPR / Brexit in contracts involving processing data over the medium term may risk contracts being non-compliant with the emerging regulatory regime, leaving either party potentially exposed to regulatory sanction or censure.
4. What other impacts are there, and what should we do now?
The uncertainty could lead to organisations wondering what to do next, and doing nothing. What is clear is that the need for good governance, planning and organisational controls has never been more important. We set out below key actions to apply now:
- Put in place Effective Governance – Organisations should have a strong governance function in place, capable of impacting on and involving all parts of the organisation. The cyber attacks issue referred to below is one good reason, but the degree of change over the next couple of years is such that effective governance is going to be critical to implementing the changes effectively and in good time. The need for governance doesn’t stop there however, as there will still need to be ongoing governance in place regarding data flows, suppliers and documenting privacy impact assessments in a way that hasn’t been seen before.
- Map and document data flows to be clear about the purposes and legal basis for processing – Increasing awareness of rights and the changes to the legal bases for processing are two very good reasons to do this. It also means that you are prepared and understand the organisation’s data flows, in a way which many organisations did not last October when Safe Harbor was struck down, and so what could have been a simple process of changing data transfer documents became a complex due diligence exercise.
- Prepare for cyber attacks – The continued rise of the number of (and impact of) cyber attacks alone means that organisations need to be taking steps to prevent these, mitigate their effect and learn lessons from them. You should also be aware of the forthcoming Network and Information Security Directive (again this is EU law but it has a wider impact on the degree of threat sharing that is likely to take place in practice).
- Implement training within your organisation – Many data privacy breaches or cyber attacks are caused by simple errors. By having effective and memorable training processes in place an employee is more likely to think about their actions and hence a breach is avoided. These good practice principles are not really affected by whatever legislation is in place. It can be something as simple as not clicking on unknown email links, checking bank payment details and suspicious requests.
The decision by the UK to leave the EU will certainly impact the actual face of UK data protection legislation, but shouldn’t change the direction of travel to invest in and ensure compliance with standards of privacy against the GDPR which remains the baseline for UK businesses, both now and in the new post-Brexit landscape.