How to Manage Your Data When Expecting Brexit
The implications of a possible Brexit on privacy and compliance-related statutes, such as the General Data Protection Regulation (GDPR), Privacy Shield, and the Data Protection Act of 2018 (DPA) are vast. These regulations govern the handling and transfer of consumers’ private data between entities in the EU, UK, and the rest of the world. If the landscape of the European Union changes, so, too, do the jurisdictions of these regulations.
In the wake of Brexit, data transfer relationships will require mending. Taking data that belongs to people in the UK and transferring it to the EU will still be an acceptable transfer. If the UK leaves the EU and loses its stature as a member state, the country will cease to be a trusted party and deemed inadequate for data transfers from the EU to the UK.
In order to reopen the flow of data westward across the English Channel, the EU and UK will have to establish a new data transfer agreement, with the European Commission reviewing the privacy laws of the UK and deem them adequate for data transfers. Similarly, Privacy Shield, which currently regulates data transfers between the EU and U.S., will no longer cover instances when companies transfer data from the UK to the U.S. (as it is an EU/U.S. arrangement!) though it is understood the UK and U.S. will be making amendments to enable this in the near future.
What Can Companies Do?
To meet the requirements of GDPR, the UK — as did all EU countries in scope — had to institute a supervisory authority: the Information Commissioner’s Office (ICO). The ICO is the independent public agency responsible for certifying legal data-related agreements, such as contract clauses, certifications, codes of practice, and binding corporate rules. After Brexit, any ICO approvals become void in the EU—the ICO would no longer be an EU supervisory authority.
Companies who designated the ICO their lead supervisory authority—normally those with headquarters or main establishments in the UK—may have to designate a new lead authority in the European Union depending on where their main processing in the EU resides in addition to their UK relationship with the ICO.
Organizations established outside of the EU, without a physical presence in the EU, but targeting their services or monitoring those within it must establish an EU representative locally. Organizations based in the EU that process personal data on individuals in the UK, but do not have a physical presence in the UK, would have to UK representative to take queries from data subjects and interact with regulatory bodies.
Regardless of where a company is located, where its data subjects reside, and where the company needs to transfer that data, leaders can and should begin to take stock of their approach to data privacy by taking the following measures to prepare for a potential Brexit:
- Know your data. Examine your records of data processing and understand how the data your company leverages moves around the globe. Understand if you’re processing data on individuals in the EU, and understand the data movements, especially if your organization is also processing data on individuals in the UK, and call out these as separate to those in the EU. Know your requirements for the import and export of personal data.
- Look at where you’re established. If your main establishment is in the UK or has mechanisms approved by the ICO, you may need to find a new EU lead authority and seek re-approval. If your establishment is in Europe but you process data in the UK, you’ll have to understand the ICO’s position. If your company transfers data out of the UK or the EU, you’ll have to look at the legal process for transferring data to specific locations.
- Review basis for international transfers. In the event of a no deal Brexit, the ICO ceases to be an EU supervisory authority, that means any international transfer mechanisms they have approved may require reapproval or review by the new lead supervisory authority.
- Determine a new representative. Review your organizational need for new EU or UK representative if you have data on people in the EU/UK but have no physical presence there. There’s a good chance you may have to establish an additional post-Brexit EU or UK representative depending on your direction of data movement.
- Assess your risk. “What is the risk of all this?” is a perfectly valid question to ask. Given the nature of Brexit discussions, there’s a chance that the UK suddenly leaves the EU without leaving a long runway for companies to adapt. Your goal should be to manage your risk and not be found in wanton disregard by your data subjects. Regulators will likely be sympathetic to companies’ plight in the event of a fast-twitch decision, but eventually organizations must be online with the law no matter the makeup of Europe in the near future.
- Amend privacy notices. Companies have privacy notices to be transparent, notifying individuals about what information will be collected, how it is used and where it is going. In the event of Brexit, your organization must amend its privacy notices based on new situations that arise as a result of a post-Brexit scenario.
Proactive Measures Improve Competitive Edge
Brexit will leave behind it a tangled web of intertwined data-privacy laws. Whilst the UK has a legal framework very similar to the EU, adequacy could take a long time to achieve, and a UK free of the EU could potentially begin to diverge its legal framework. Your organization’s location and the location of data it processes will greatly impact how you address Brexit-related changes to regulations. While the details of the split are still as yet unknown, leaders can and must begin to take stock of their companies’ data processing mechanism and begin developing new routes to compliance. The organizations that get ahead of Brexit stand not only to reduce the risk of non-compliance, but they may even be able to improve their market share ahead of laggard competitors.
About the author: Ralph O’Brien is a senior privacy consultant with TrustArc, a provider of privacy compliance solutions. Ralph has spent more than 20 years working at the intersection of privacy, security and risk management. As a senior level “translator” between IT, business and compliance professionals, Ralph helps drive thought leadership, business development, partnerships and product development in emerging privacy regulations.
CCPA: Business Threat or Opportunity?
Does the U.S. Have a Case of GDPR Envy?
Lessons Learned: What Big Data and Predictive Analytics Missed in 2016