When the UK left the EU on 31 January 2020 – sparking a transition period that ends on New Year’s Eve – there were plenty of questions about how organisations would transfer personal data to and from EU member states.
The government is seeking an adequacy decision, which – if approved – would mean organisations could continue with almost no disruption.
However, it was always an uphill battle to get the European Commission’s decision by 31 December, with the process often taking two years or more.
Things were then complicated with the invalidation of the EU–US Privacy Shield and the increasing likelihood of a no-deal Brexit.
It therefore looks as though major changes are on the way, and the ICO (Information Commissioner’s Office), which oversees data protection and data privacy in the UK, is advising organisations to act now.
In this blog, we look at three things you must address before the end of the year.
1. Do you have a lawful basis for data transfers?
Personal data can currently be transferred freely between the UK and the EU, but when the transition period ends organisations must establish a new lawful basis.
Assuming that an adequacy decision isn’t reached before the end of the transition period, organisations must use SCCs (standard contractual clauses) or BCRs (binding corporate rules).
BCRs apply strictly to multinationals, helping them make intra-organisational transfers of personal data across the EU.
SCCs are more widely applicable. They are legal contracts that outline the terms and conditions for data transfers, and are designed for organisations that participate in two-way data sharing and in straightforward internal personal data transfers.
EU-based organisations may already be familiar with SCCs, as they are widely used for data transfers to non-member states that don’t have an adequacy decision.
When using SCCs, organisations and regulators must conduct case-by-case analyses to determine whether protections concerning government access to data meet EU standards.
2. Do you need an EU representative?
Article 27 of the GDPR (General Data Protection Regulation) states that, with the exception of public bodies, data controllers that aren’t based in a member state and that regularly process EU residents’ personal data must establish an EU representative.
As the name suggests, an EU representative is someone based in the EU who works on behalf of an organisation in a third country.
In the case of UK organisations, this will primarily involve serving as the point of contact between the organisation, the supervisory authorities and data subjects.
They’ll do this by:
- Responding to any queries the supervisory authorities or data subjects have concerning data processing;
- Maintaining records of the organisation’s data processing activities; and
- Making data processing records accessible to the ICO.
These tasks sound a lot like those of a DPO (data protection officer), but it’s important not to confuse the two roles.
An EU representative represents non-EU based organisations when it comes to their GDPR requirements, whereas a DPO is an independent expert who helps facilitate and assess the organisation’s compliance practices.
Find an EU representative quickly and easily with the help of our sister company GRCI Law.
Led by a team of lawyers, barristers, and information and cyber security experts, GRCI Law can take the strain of GDPR compliance, acting as your EU representative for personal data processing activities.
3. Identify your lead supervisory authority
An organisation’s LSA (lead supervisory authority) is the public body responsible for data protection – which, in the UK, is the ICO.
However, when the transition period ends, the ICO will no longer be a supervisory authority under the GDPR, so UK-based organisations must find an alternative.
This means identifying the EU data protection body that is most appropriate to the business you do.
Most countries have a single watchdog (with the exception of Germany, which has one for each of its 16 states as well as a federal one), so this is generally a case of identifying which country you do most of your business in and identifying its supervisory authority.
So, for example, if you mostly process Spanish residents’ personal data, your LSA should be the Spanish Data Protection Authority.
Once you’ve made your choice, you must determine whether any specific actions are required. You may well be required to register with the LSA and pay a fee.
You should also review any differences in the way your new LSA approaches GDPR compliance and adjust your practices accordingly.
For example, the Regulation gives supervisory authorities the option to adjust the age at which someone is no longer a minor, and to interpret its rules however it sees fit.
Download our free Brexit checklist
Brexit is coming and with it a number of changes to the way organisations need to deal with personal data. Some of these changes are obvious, but there’s a lot more to do than first appears.
That’s why we’ve created a checklist outlining the steps you must take before 1 January 2021. This includes guidance on:
- Appointing an EU representative;
- Identifying a lead supervisory authority in the EU;
- Updating contracts governing EU-UK data transfers to incorporate standard contractual clauses; and
- Updating policies, procedures and documentation in light of those changes.
Download our free checklist to track the headline issues and resolve them before you find yourself at odds with the law.