We supported SHL to run a compliant collective consultation process, following the need to...
With Brexit looming closer and everyone still none the wiser on our proposed agreement with the EU, we discuss the potential GDPR implications in the event of the UK walking away with a no deal.
In this scenario it has already been confirmed there will be no immediate change in the UK’s own data protection standards (recently updated). However, the legal framework governing transfers of personal data from organisations established in the EU to organisations established in the UK would change on our exit.
Those of us that are in some way responsible for data protection governance and compliance are surprised at the number of UK businesses, currently transferring/processing personal data daily on EU citizen’s to and from the rest of Europe without yet fully considering the repercussions of leaving. Such businesses often have not yet considered, or taken steps to put in place, ‘adequate protections’ to allow these transfers to continue post the March deadline.
At the risk of being accused of scare mongering (again!) some of these businesses will need to seriously bear in mind that, on leaving the EU without a sharing agreement being in place, the UK will then be classed as a third country by the EU - and therefore not part of any EU approved ‘adequacy status’.
For the UK to be granted ‘adequacy status’ to allow data sharing to continue as it does currently will take some time after March (potentially years).
This adds to the business risks that EU data subjects may potentially be able to take a UK company to task for breaching the GDPR if there are no agreed and adequate safeguards in place as defined by the EU to allow the transfer (or processing in the UK) to actually take place - resulting in potential fines of 4% of global turnover from an EU supervising authority.
So what do we need to do?
The ICO has provided simple clear guidance (Leaving-the-eu-six-steps-to-take.pdf) available online since December but in summary:
You should revisit your current processing flows created under the regulations (I nearly said dust them off but I would hope none are gathering dust!) and identify where you receive personal data covering EU/EEA data subjects (non UK) into your business in the UK, and vice versa on what EU data you transfer out. Remember the GDPR covers the processing of all EU citizens data so this may affect seasonal/casual workers from overseas
You then need to understand what GDPR compliant safeguards you currently have in place to ensure that the data can continue to flow from your source once we are outside the EU. These safeguards may be corporate rules, safeguarding agreements or you may use a ‘representative’ located in the EU.
Review what you currently have in place to ensure it will still be relevant and covers you sufficiently in the event the UK is no longer classed as ‘adequate’ so your data can continue to flow with minimal risk.
What safeguards are needed to transfer data if outside the EU?
The 3 options approved by the EU commission and needing to be in place to enable international transfers of personal data between EU/EEA states and those not classed as ‘adequate’ (us if we crash out!) are:
- A legally binding and enforceable instrument between public authorities or bodies
- Binding corporate rules
- Standard data protection clauses adopted by the EU/EEA
If you need any assistance with safeguards or would like help with reviewing your current transfer processes and documentation to determine suitability, please contact Kevin Nolan on 01622 759 900.