The UK Government has updated its guidance on what will happen in the event of a “no deal” Brexit as it relates to data privacy laws. HireRight reviewed the original Notice back in September, and the new guidance remains largely the same, though a “no deal” Brexit is now looking like a possibility: something no-one could have predicted just a couple of months ago.
In the updated guidance notice the UK Government confirms that the EU (Withdrawal) Act 2018 (EUWA) will retain the GDPR in UK law, and appropriate changes to the GDPR and the UK Data Protection Act 2018 will be made using regulation-making powers under the EUWA. We do not have full detail of what those changes will be, but the updated guidance provides a high level summary of what we should expect to find, including:
- A preservation of EU GDPR standards in domestic law
- A recognition of all EEA countries (including EU Member States) and Gibraltar as “adequate” to allow data transfers from the UK to Europe to continue for a transitional period
- A preservation of the existing “adequate” countries list as decided by the EU to allow data transfers from the UK to those adequate countries to continue for a transitional period
- An official recognition of EU Standard Contractual Clauses (SCC) in UK law together with powers being given to the ICO to issue new clauses and a recognition of Binding Corporate Rules (BCR) – again to preserve “safe” data transfers
- That the extraterritorial scope of the UK DPA 2018 be preserved
- An obligation on non-UK data controllers who are subject to UK DPA 2018 framework to appoint representatives in the UK if they are processing UK data on a large scale.
This will be welcome news for any business that deals with personal data, at least for the short term, as the GDPR and its concepts will be preserved in English law. Further, the UK can safely transfer data both to EEA countries and countries ruled adequate, with no further work needed.
Where there will be some work required includes:
- mapping data flows of any EU entity that uses a UK based service provider to process personal data; and
- reviewing of data processing agreements (DPA) to see if they require updating in respect to data transfer clauses as transfers to the UK will become a “Restricted Transfer”.
In both cases, the likely solution will be addendums to existing agreements to include SCC between the EU entity and UK based processor.
More detailed guidance is expected to be published by the UK Government in the next few weeks, and HireRight will continue to monitor developments as they happen.
In the meantime, if you want to learn more about the guidance, a link can be found here.