Keeping you up to data

Tees Business Digital Media Pack

Helen Brain, commercial partner at the Teesside office of Square One Law, explains why businesses need to understand how data protection laws will change with Brexit and act now…

International transfers of personal data have long caused difficulties for businesses.

In a cloud computing world, businesses often don’t fully understand the storage, Software as a Service (SaaS) and marketing services they use, failing to realise they may be making transfers of personal data across international borders.

With Brexit, things are about to get even more difficult.

If a deal is struck ahead of December 31 2020, and an adequacy decision is granted to the UK by the EU, then personal data flows should be able to continue between the UK and European Economic Area (EEA) without additional measures.

Although the UK has stated it will incorporate the EU GDPR into UK law at the end of the transition, to sit alongside the Data Protection Act 2018 (DPA), the various derogations from the protections under EU GDPR included in the DPA 2018 and powers for the UK government to carry out surveillance mean that UK law is not fully equivalent to the European levels of individual data protection.

If there is no deal at the end of the transition, the chances of an adequacy decision being granted by the European Commission seem low.

If there’s a no-deal Brexit, or a data protection adequacy decision is not forthcoming as part of that deal, then the UK will become a third country for the purposes of personal data transfers.

As such, transfers of personal data between the UK and EEA become restricted, and businesses will need to identify and put in place appropriate safeguards to ensure those personal data transfers remain lawful as from January 1 2021.

If you are a UK-only company, processing UK personal data only, using only UK-based processors, and you are already compliant with the GDPR, then you don’t need to do much more than review and update your policies.

If you are a UK company, already compliant with the GDPR and only transferring personal data of UK data subjects to the EU, the UK government has so far indicated there is no necessity to have additional measures in place.

Similarly, if you are transferring UK personal data to a country with a current valid EU adequacy decision (for example, New Zealand, Japan and Israel) that data can also continue to flow without additional measures. So, for the time being, you just need to update your policies and watch for developments or further statements by the UK government and ICO.

If you are a UK company transferring personal data from the EEA to the UK, you need to act now. For example, if you are a business targeting EU citizens as customers, or if you are a provider of processing services (for example, a SaaS provider) based in the UK processing EU personal data on behalf of your customers.

> You may need to appoint an EU representative if you don’t have a group company based in the EU.

> You may also need to put in place appropriate safeguards for the transfers of EU personal data into the UK.

The most appropriate solution for many businesses receiving EU data from another organisation will be entering into standard contractual clauses with the EU organisation.

A key point to note is that the European Data Protection Board (EDPB) recently issued new draft Standard Contractual Clauses (SCCs) as part of its guidance on international transfers. As such, any SCCs you sign now may need to be replaced before the end of 2021 with the new model clauses.

The EDPB guidance, issued in draft form and currently open to public consultation, also makes clear that SCCs alone are not enough. If local laws in the destination country impede the effectiveness of the transfer tool, supplementary measures have to be implemented or the transfers stopped.

Next steps for businesses:

1. Audit:
• Understand personal data flows and locations.
• Review contracts and policies.

2. Act:
• Carry out due diligence and enter into SCCs where appropriate.
• Update contracts and policies.
• Appoint a European representative if needed.
• On-shore where needed – it is particularly important to eliminate transfers of personal data to the US regardless of Brexit, given the statements from the Court of Justice of the European Union in Schrems-II and the draft recommendations from the EDPB.
• Consider the knock-on effects of Brexit regarding your appointed supervisory authority, location and language of your data protection officer.
• Keep up to date with developments on Brexit and divergence between EU and UK data protection laws. Replace SCCs once the current draft versions are approved and adopted.

If you require further information about any of the issues raised in the article, please contact Helen on