‘T Ain’t What You Do (It’s The Way That You Do It): Data Transfers in a Post-Brexit World
With the dust barely settling since the General Data Protection Regulation (GDPR) came into force, our data protection antennae are back on red alert in respect to the issue of data transfers in a post-Brexit world.
With just 6 months to go before the 29th March Brexit date, the UK Government’s Department for Digital, Culture, Media & Sport (DCMS) has published a notice “Data Protection if There’s No Brexit Deal” (the “Notice”) which sets out what actions UK organisations should take in respect to data transfers in the event that there is no Brexit deal with the EU. The Notice can be viewed here:
What are the key points under the Notice?
- A “no deal” scenario remains unlikely
- GDPR remains in full force and effect in the UK until 29 March 2019
- After 29 March, if there is no deal there will be no immediate change in the UK’s data protection standards:
- Data Protection Act 2018 remains in place
- EU Withdrawal Act would incorporate GDPR to sit alongside Data Protection Act 2018
- No impact on transfers of data from the UK to the EU
- Legal framework governing transfers of personal data from organisations in the EU to organisations in the UK may change on exit (see below)
Ruling of adequacy and timing
The Notice restates that the EU Commission has gone on record that if it deems the UK’s level of personal data protection to be equivalent to that of the EU, then a ruling of adequacy will be given. With such a ruling, there would be no restrictions on data transfers, and organisations in the EU would not be required to take any additional steps to ensure safe transfers.
The related issue is the timing of such ruling: the UK Government are ready to commence discussions now, but the EU Commission are yet to indicate a timetable for such discussions, stating that they cannot commence until the UK becomes a third country – i.e. post-Brexit – thereby leaving a potential gap.
What does the Notice recommend in respect to EU to UK data transfers?
With the timing of any ruling of adequacy slightly up in the air, it is clear that there may be a period, post Brexit, were EU organisations have to consider how to effect a safe transfer of data.
The Notice is not terribly detailed on this point, which perhaps indicates that the topic is not too controversial. In summary, the Notice suggests that a legal base for transfers of personal data should be identified and that for the majority of organisations the most relevant basis will be standard contractual clauses (SCC).
Impact of implementing SCC
Most EU (and UK) organisations will be very familiar with SCC after the demise of Safe Harbor in 2015, when many companies put in place SCC to allow transfers of data to organisations in the United States of America.
Whilst administratively putting in place SCC can be burdensome, the SCC themselves are standard documents and EU and UK organisations are used to handling these; so getting them in place from a cultural perspective should not be controversial or problematic. Further, one of the main burdens encountered in 2015 was organisations having to map data on short notice to figure out which entities required SCC. However, because of the GDPR, organisations in the EU and UK should have already undertaken extensive data mapping exercises, so again it should be easier this time around to put these SCC in place.
Background screening at HireRight
Outside of the Americas, the GDPR informs HireRight’s compliance rules and approach. There will be no change in this regard: HireRight considers the GDPR to be the gold standard privacy regime. HireRight is also well placed with its office locations, and has operations centres in Poland and Estonia, as well as in the UK.
It is intended that HireRight will enter into SCC with all customers requiring them, and in many cases, these are already in place as part of GDPR efforts.
HireRight aims to help minimise the impact of Brexit on its customers.