How will UK organisations share data with the EU in no-deal Brexit?

As we approach 31 October and the revised Brexit deadline day, you’ll see more and more stories pop up about previously under-reported ways that the UK’s departure from the EU will affect organisations.

The latest concerns are about how UK organisations will be able to share data with EU partners.

This is something we’ve discussed before, but we’re now putting together more thorough guidance explaining the ramifications that a hard Brexit will have on data transfers and the steps organisations must take to prepare for it.

After all, the UK government will have less than two months to make a deal once it returns from summer recess on 3 September, and with Boris Johnson now leading the UK’s departure, there’s a much higher likelihood of a no-deal Brexit.

What you need to know about a no-deal Brexit

Should the UK leave the EU without a deal, there will be no transition period before it becomes a ‘third country’.

This will have several major repercussions.

  • Adequacy decisions

Under the GDPR (General Data Protection Regulation), organisations in third countries can only process EU residents’ personal data if:

  • There is an adequacy decision, as per Article 45 of the GDPR;
  • If they rely on SCCs (Standard Contractual Clauses), as per Article 46; or
  • If they rely on BCRs (Binding Corporate Rules), as per Article 47.

The adequacy decision process cannot be started until exit day, so if there is no deal and therefore no transition period, UK organisations that process EU residents’ personal data will need to ensure SCCs or BCRs are in place by then in order for their data processing to remain lawful under the GDPR.

These are formal agreements between organisations that share personal data (including suppliers, partners or subsidiaries), which outline the ways in which the information will be protected.

  • The Privacy Shield

Although the government has said that UK organisations “will continue to be able to legally send personal data from the UK to the EEA and 13 countries deemed adequate by the EU” (including to US participants in the EU-US Privacy Shield), it’s impossible to know how long this will be the case, especially as the UK will have no future say over how the Privacy Shield – an EU agreement – will be enforced or amended.

Therefore, SCCs or BCRs are, again, the only practical route for UK data controllers that need certainty about using US data processors, whether directly or through suppliers, partners or subsidiaries.

  • Security weaknesses

Cyber criminals love times of disruption, and in the period leading up to and beyond Brexit, there will be significant disruption.

Organisations should expect to see Brexit-themed phishing scams, as well as other types of cyber attack that look to take advantage of organisation’s uncertain security posture.

UK organisations should act now to ensure cyber defences are adequate, that their incident response plans are tested and working, and that staff training – particularly in relation to identifying phishing attacks is up to date.

  • EU representative

Like any other organisation that is based in a third country and provides services into the EU, UK organisations will need a representative in the EU, under Article 27 of the GDPR.

GDPR and DPA 2018 compliance will continue to be mandatory.

In the event of hard Brexit, the UK government has indicated that it intends to replicate the Article 27 provision to require controllers based outside of the UK to appoint a representative in the UK.

This means that, should the UK exit the EU without a transition period (which will be the case if no deal is reached), a controller or processor located outside the UK but bound by UK data protection laws by virtue of their extra-territorial impact (including EU based organisations) may be required to appoint a UK representative.

Selecting an EU representative

Your EU representative can be any natural or legal person who’s based in an EU member state within which you collect personal data.

If you only collect information from data subjects in, say, France, your EU representative must be based in France. However, if you collect personal data from the entirety of the EU, you can appoint a representative from any EU member state.

When you have multiple countries to choose from, it’s best to select the one in which you collect the most data or conduct the most extensive monitoring.

But who should you approach to act as your representative? What qualifications do they need?

If you’re unsure about these questions, or simply want a fast, reliable access to an EU representative, then we have the perfect solution.

Led by a team of lawyers, barristers, and information and cyber security experts, our sister company GRCI Law will take the strain of GDPR compliance, acting as your EU representative for personal data processing activities.

With Brexit uncertainty lingering, we’re aware that organisations are hesitant to sign up for long-term representation when no one is sure exactly when the UK will leave the EU and your representative requirements will kick in.

That’s why we’re now offering our EU Representative service on a 3-month contract, purchasable online.

Buy now to ensure that you’re covered for Brexit – whether that’s on 31 October or beyond.