With all the talk surrounding Brexit and the various scenarios that could happen, it is useful to look at the potential effect on data transfer and what that might mean for organisations and their IT systems.
Elizabeth Denham the UK Data Commissioner in December stated: “the Government has already made clear its intention to permit data to flow from the UK to EEA countries. But transfers of personal information from the EEA to the UK will be affected.”
As long as the UK remains in the EU, GDPR and the UK Data Protection Act 2018 govern how we process personal data and in particular what we must do if transferring personal data to non-EEA jurisdictions. Leaving the EU results in some interesting challenges.
Subject to appropriate protections and application of the core GDPR data protection principles, EU countries are effectively free to transfer data between themselves. To legally process or share data outside of the EEA we are obliged to determine whether the destination is on the EU’s adequacy list and if not contractually protect the transfer using Binding Corporate Rules (BCRs) if an intra organisation transfer or Standard Contract Clauses (SCCs) if to another legal entity. There are some derogations to this but these are only to be used in limited circumstances.
Data Transfer Operating Models
There are three main operating models:
1 You are a business established only in the UK providing services solely in the UK and sharing no personal data with other clients or organisations outside the UK;
2 You are a business established only in the UK providing services to clients in the UK and the EU;
3 You are a business established in the UK sharing data with your offices, clients or other service providers who are based in the EU.
Model 1 – Brexit has no impact
Model 2 – You may have competition from firms who guarantee client data does not leave Europe. You will likely be asked by clients to make provision for the transfer of their data outside of the EU.
This may result in a significant client contract review if previous arrangements relied on the UK being a member of the EU.
Model 3 – As model 2 but EU offices will also need to make provision for the sharing of their client and employee personal data with the UK office. Any supplier contracts that previously relied on the UK being within the EU may need to be revised.
So what does that mean for IT systems?
In a ‘leave’ scenario, the UK will become a third party as far as data transfer is concerned effectively placing us in the same legal position as countries such as India or China.
It is important therefore to plan for how we intend to legalise the processing and sharing of client and employee data between our own offices and with clients.
For a UK office to share UK client data with EU offices will remain mostly unaffected but the sharing of data in the other direction ( EU to UK) will need new provisions and protections.
Example scenario
At ExampleCo LTD, the Document Management, CRM and Accounting systems hold international client data with some clients mainly handled by their German and French offices. The systems are hosted in a London data centre and the IT, Finance and Marketing teams are based in the London office.
In this scenario ExampleCo LTD will have two options to ensure their personal data processing is legal following a ‘leave’ scenario;
1 It prevents the French and German client and employee data from being shared with the London based systems by setting up hosted solutions somewhere in Europe.
2 It creates either Binding Corporate Rules or Standard Contract Clauses signed by all offices.
There is the possibility of using client consent as an exception to the above but this is only to be used in limited circumstances and would likely require complex administration processes.
Data Protection Representatives
Another consideration is whether or not to appoint a ‘representative’. GDPR Art 27 requires that organisations outside of the EU offering goods or services to organisations within the EU may need to appoint a ‘representative’ to govern data protection and be the point of contact for Data Subjects and Data Protection Authorities.
As a consequence, the ICO has also indicated that in a ‘leave’ scenario a UK-based law firm that does not have any offices in the EEA but offers goods or services to EEA individuals will need to consider appointing a European representative.
The ICO guidance on representatives due to Brexit can be found here:
https://ico.org.uk/for-organisations/data-protection-and-brexit/data-protection-if-there-s-no-brexit-deal/the-gdpr/european-representatives/
Next Steps
1 Using a data flow map, determine which data relationships will be impacted by the UK leaving the EU.
2 Determine whether current data locations should be changed.
3 Determine whether current processes should be changed.
4 Assess the viability of Binding Corporate Rules.
5 Determine whether Standard Contract Clauses are required.
6 Update Privacy Notices so as to comply with the transparency requirements.
7 Assess the requirement for a representative.
To discuss any of these matters in more detail or for help with any of your GDPR or Information Security challenges contact timhyman@2twenty4consulting.com
