As part of our continued series of blog posts providing answers to your questions on the EU General Data Protection Regulation (GDPR), this week we discuss Brexit and the territorial scope of the Regulation.
The questions were posed during our GDPR webinars, with the answers coming from one of our compliance experts. Our previous blogs have covered data breaches, compliance and certification, and consent.
Q: If somebody lives in the EU but isn’t actually an EU citizen, does the GDPR still apply?
A: Yes. When you travel abroad, you are under the laws of the country you travel to. Similarly, when you are living in the EU, your personal data is subject to its laws and regulations.
Q: Is there flexibility to comply with the GDPR, or must all EU countries implement the requirements exactly as they’re written?
A: There is very little flexibility. As the name suggests, the GDPR is a form of legislation known as a regulation. This means that it’s directly applicable in every EU member state, and will be binding on them from 25 May 2018. No further legislation is required to implement the GDPR, with one of its driving factors being that it ensures the standardisation of data protection regimes across the EU.
However, there are some articles that permit member states a degree of flexibility. These include the definition of special category data and the age at which a data subject is no longer considered a minor.
Q: What’s the meaning of a ‘third country’?
A: A third country is a country that isn’t a member state of the European Union.
Q: What will the procedure be for gaining an adequacy rating? Is it acceptable to use Cloud providers in the US so long as there is a business contract in place that provides protection?
A: The rules regulating international transfers of data under the GDPR have much in common with the rules under the Data Protection Act (DPA), except that organisations are now limited in their ability to transfer data on the basis of their own adequacy assessment.
It’s important to remember that there are two primary objectives to the GDPR, and one of them is facilitating the free movement of data. The GDPR thus clarifies some of the procedures for international data transfers that were contained in the Data Protection Directive.
The adequacy of protection levels associated with a particular transfer may be ensured by:
- Model contracts
- Binding corporate rules governing intragroup data transfers
- Reliance on an exemption
For international organisations, these will still be legitimate options for international data transfers.
Additionally, transfers may be made where the commission decides that an international organisation or a third country, territory or specific third-country sector ensures an adequate level of protection. This is beneficial, since it means that organisations designated as adequate by the commission will not need to obtain further authorisations for individual transfers.
Adequacy decisions are subject to periodic review, in which the commission consults with the entity and considers relevant developments in the entity and information from other relevant sources. Adequacy decisions therefore may involve some type of audit of the international organisation.
Q: How can the GDPR be enforced against third-country organisations? Surely the Information Commissioner’s Office (ICO) couldn’t fine a company in China.
A: Controllers that aren’t based in the EU have to appoint an EU representative. That’s the first step for a regulator in an enforcement action.
Q: What would happen if an organisation outside the EU refused to pay a fine, believing they are outside the EU’s jurisdiction?
A: They would face enforcement action, under international treaties.
Q: How will Brexit change the landscape of the GDPR in the UK?
A: When the UK signed Article 50 on 29 March 2017, it started a two-year process to negotiate its exit. This means that the UK will still be an EU member state when the GDPR takes effect in May 2018. The UK will therefore be subject to EU law and must comply with the Regulation.
Q: What will the impact of Brexit be on the choice of the supervisory authority?
A: There will be no impact. The ICO will remain the UK’s supervisory authority.
The Regulation already allows organisations to select a lead supervisory authority on the basis of either the member state within which it has a permanent establishment or the location of a significant part of its processing. It’s difficult to see this option not being available to UK companies post-Brexit.
Q: Is signing up to the EU–US Privacy Shield sufficient to satisfy the GDPR processing clauses?
A: No. The EU–US Privacy Shield is purely for protecting personal data under the Data Protection Directive in transatlantic data flows. Its scope differs from that of the GDPR, particularly regarding the legal obligations of processing, storing and transmitting personal data.
Moreover, the EU–US Privacy Shield is subject to annual review, and is therefore likely to change. This provides limited certainty with regards to data protection. This factor, combined with the drastically different data protection culture in the US and the GDPR principle of adequacy, means it’s highly unlikely that current EU–US Privacy Shield conformance will suffice for GDPR compliance. US organisations that are within the scope of the Regulation should proceed on the basis that they too will have to comply fully with the requirements of the GDPR.
Q: In terms of practical implementation, would GDPR compliance be better led by information assurance professionals or legal/policy teams?
A: It would be better if implementation was led by practitioners, albeit with lots of legal input and advice. What matters is how you implement the legal requirements, rather than how well you reflect them in your documentation.
Watch our webinars to find out more
For more information on Brexit and the territorial scope of the GDPR, take a look at our webinar series. Some of the most appropriate webinars to get started with are: