Privacy Checklist for Brexit Transition

Privacy Checklist for Brexit Transition

The data protection aspects of Brexit have received relatively little attention in the mainstream press. But data is a crucial consideration for every business with customers, clients, or business partners in the European Economic Area (EEA).

At the time of writing, there's still a lot of uncertainty about what will happen on January 1, 2021. Many businesses are "in limbo" and eagerly awaiting news about tariffs, customs checks, and deregulation.

However, when it comes to ensuring you can still receive personal data from the EEA next year, it's possible to prepare for a "worst-case scenario" without significant costs.

This article will help you get ready for the end of the transition period, whether or not the UK has secured a free trade agreement.


Understanding the Privacy Implications of Brexit

In preparing for the end of the transition period,your first task is to understand how the UK's data protection framework could change.

Below, we've answered some frequently asked questions about the privacy implications of Brexit.

Will the UK Receive an Adequacy Decision?

The EU's "adequacy" framework determines which countries can freely receive personal data from data controllers in the EEA (which includes the 27 EU countries plus Iceland, Liechtenstein, and Norway). There are 12 countries on the adequacy list, including Japan, Canada and New Zealand.

The EU has not yet determined whether the UK will be an "adequate" third country after the end of the transition period. It is by no means clear that the UK will receive an adequacy decision.

Some commentators argue that if the EU and the UK successfully negotiate a free trade agreement, the EU will grant the UK an adequacy decision as part of this agreement.

But the UK may leave the EU without a free trade agreement or an adequacy decision. In this scenario, businesses that have not prepared will face difficulties maintaining the flow of personal data from the EEA to the UK.

With many unanswered questions remaining and very little time remaining, the UK government strongly recommends preparing for a "no-deal" and "no adequacy decision" scenario. Our transition checklist will help you do this.

Will the GDPR Continue to Apply in the UK Post-Brexit?

The UK will continue to apply the same data protection standards from January 1, 2021. Data protection and privacy will continue to be regulated by the UK's Data Protection Authority, the Information Commissioner's Office (ICO).

However, there will be some major changes to how data protection law will work and how UK and EEA businesses exchange personal data. This includes the repealing of the "EU GDPR" and the taking effect of the "UK GDPR."

What is the UK GDPR?

The UK GDPR is the UK's version of the GDPR that will apply from January 1, 2021. The government will be able to amend the UK GDPR but, at first, it will remain the same in key areas, such as:

  • Principles of data processing
  • Data subject rights
  • Lawful bases for processing

This means UK businesses will need to continue applying the same data protection standards after the end of the transition period.

The amendments to the UK GDPR are published in a "Keeling Schedule," available on the UK government's website, to help people keep track of the changes. Here's an example of the types of changes that have been made (at page 5 of the Keeling Schedule):

GDPR Keeling Schedule: Article 3 - Territorial scope

In the image above, you can see how references to "the Union" have been replaced by references to "the United Kingdom." References to "Member State law," meaning the law of an EU country, have been replaced by references to "domestic law," meaning UK law.

Will the UK Data Protection Act 2018 Still Apply?

The UK Data Protection Act 2018 (DPA 2018) will continue to apply in the UK after the end of the Brexit transition period. It sits alongside the UK GDPR.

Some parts of the DPA 2018 have also been amended to reflect the incorporation of the GDPR into UK law as the UK GDPR, to remove references to the EU, and to implement the UK's adequacy framework.

The amendments to the DPA 2018 are also available in a Keeling Schedule. Here's an example of some of the recent amendments to the DPA 2018 (at page 129 of the Keeling Schedule):

Data Protection Act 2018 Keeling Schedule: Section 165 - Complains by Data Subject

In the image above, you can see changes to the rules around how the ICO must coordinate with EU DPAs now that the ICO is no longer a member of the European Data Protection Board (EDPB).

These changes are unlikely to affect most small and medium-sized businesses, but it's important for all businesses to understand the fundamental changes occurring to the legal framework of the UK due to Brexit.

Facilitating EEA/UK Data Transfers

Facilitating EEA - UK Data Transfers

Data transfers from the EU to the UK have been unaffected throughout the transition period. But once the transition period ends, things may get more complicated.

This section applies to data flows from the EEA to the UK, meaning:

  • UK controllers or processors receiving personal data from EEA controllers, and
  • EEA controllers sending personal data to UK controllers or processors

Data flows in the opposite direction (from the UK to the EEA) will be mostly unaffected by Brexit.

If you aren't sure whether your business is a controller or a processor, see our article GDPR Data Controller vs. Data Processor.

To ensure that personal data is protected once it leaves the EEA, EEA-based data controllers are only allowed to transfer personal data to non-EEA controllers and processors under one of the following conditions:

  1. The receiver is located in a country subject to an adequacy decision
  2. The transfer is subject to a written agreement containing standard contractual clauses (SCCs) adopted by the European Commission
  3. The transfer is subject to a set of binding corporate rules (BCRs)
  4. One of the GDPR's limited derogations for exceptional situations applies

As explained above, you cannot assume that the UK will receive an adequacy decision. Therefore, UK businesses receiving personal data from EEA businesses will need to rely on one of the other three safeguard options.

The onus is on the sender of personal data (i.e., the EEA-based controller) to ensure that personal data is protected during and after the transfer. However, the receiver will also want to ensure that the transfer is legally compliant.

For most businesses, the most appropriate choice of safeguard is likely to be option 2: SCCs.

This means UK businesses that receive personal data from the EEA and EEA businesses that send personal data to the UK must ensure:

  • There is a written contract covering the transfer/ongoing transfers
  • The contract contains one of the sets of SCCs adopted by the European Commission
  • Both businesses have assessed whether the SCCs are sufficient to safeguard the personal data
  • If the SCCs are not sufficient, the businesses have implemented supplementary safeguards

For more information on using SCCs, see our article Using Standard Contractual Clauses.

It may also be possible to rely on option 4 (derogations) for one-off transfers. The EEA-based sender of the personal information will need to determine whether this would be lawful in each case.

For more information on all other data transfer safeguard options, including the exceptions to the GDPR's data transfer rules, see our article Transferring Personal Data Out of the EU.

Appointing an EU Representative

Appointing an EU Representative

The EU requires some non-EEA organizations to designate an "EU representative," who will act as their legal presence in the EEA.

This section applies to UK businesses that are not established in the EEA, and:

  • Offer goods and services to EEA consumers, or
  • Monitor the behavior of people in the EEA

If you aren't sure whether you "are established in the EEA," "offer goods and services in the EEA," or "monitor the behavior of people in the EEA," see our article How EU and U.S. Privacy Laws Apply to Foreign Businesses.

Not all UK companies will need to appoint an EU representative, even if they do meet the conditions above. Your business might not need to appoint an EU representative if it meets all of the following three conditions:

  • It only occasionally processes personal information
  • It doesn't process personal information in a way that is likely to result in a risk to the "rights and freedoms" of people in the EEA, and
  • It doesn't process large amounts of "special category" (sensitive) data or criminal records data

An EU representative is your company's main contact for EEA consumers and DPAs. They can be called before an EEA court if you violate the GDPR. They can also help keep records of your EEA data processing.

Your EU representative can work directly for your company, or they may be a contractor or agency worker. In fact, anyone can be your EU representative, as long as they meet the following three conditions:

  1. They have a legal presence in an EEA country
  2. They speak an EEA language
  3. They are not your Data Protection Officer (assuming you have one)

Appoint your EU representative in whichever EEA country your business has the most significant presence.

You'll need to appoint your EU representative in writing.

For more information about how to do this, see our article GDPR Appointment of EU Representative Letter.

Updating Your Privacy Policy

Updating Your Privacy Policy

Your company's Privacy Policy serves as a comprehensive notice to your consumers about your business, your data protection practices, and consumers' legal rights.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your website. Just follow these steps:

  1. Click on the "Privacy Policy Generator" button.
  2. At Step 1, select the Website option and click "Next step":
  3. TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  4. Answer the questions about your website and click "Next step" when finished:
  5. TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  6. Answer the questions about your business practices and click "Next step" when finished:
  7. TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  8. Enter your email address where you'd like your policy sent, select translation versions and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.

After the transition period ends, you'll need to update your Privacy Policy to ensure it reflects:

  • The relevant laws that apply to your processing of personal data (i.e. the UK GDPR and the DPA 2018)
  • Any changes you have made due to Brexit (e.g. information about your data transfer safeguards)
  • Details of your EU representative

It's crucial that your business keeps its Privacy Policy up to date. There are likely to be many outdated Privacy Policies after January 1, 2021, so this is an opportunity to ensure your business demonstrates its professionalism and legal compliance.

Choosing a New Lead Supervisory Authority

Choosing a New Lead Supervisory Authority

The one-stop shop mechanism (OSS) applies to businesses that engage in cross-border transfers of personal data within the EEA.

This section is relevant to businesses that are:

  • Based in the UK
  • Established in the EEA
  • Engaged in cross-border processing of personal data between EEA member states

For example, if you are based in the UK, have an office in France, and have customers in multiple EEA countries.

If a data protection issue arises concerning multiple EEA countries, the OSS mechanism means that an EEA business will only need to deal with the DPA in its "main establishment." This main establishment DPA is known as the company's "lead supervisory authority." The OSS thus saves businesses operating in more than one EEA country from dealing with multiple DPAs.

Brexit means that the ICO may stop participating in the OSS. This means that if the ICO is your lead supervisory authority, you may need a different DPA to act as your lead supervisory authority after the end of the transition period.

Whilst it is not strictly possible to choose your LSA, you should try to determine which EEA country is your main establishment so that you know who to approach in the event of an incident concerning your cross-border processing activities.

The Article 29 Working Party states that your main establishment is the EEA country in which your "central administration" is located. This has a slightly different meaning for controllers and processors.

For controllers, the central administration is: "where decisions about the purposes and means of the processing of personal data are taken" and which "has the power to have such decisions implemented."

For processors, the central administration is: "where the main processing activities take place."

Once you know where your central administration, and thus your main establishment, is located, you will know which DPA to approach if you suffer a data breach or need to consult on a data protection impact assessment (DPIA).

Summary of Your Brexit Transition Privacy Checklist

To prepare for the end of the UK's transition out of the EU, you may need to take one of more of the following steps:

  • Familiarize yourself with the UK's post-Brexit data protection legal framework
  • Set up a data transfer safeguard mechanism for any personal data you receive from controllers in the EEA
  • Appoint an EU representative established in an EEA country
  • Update your Privacy Policy
  • Consider whether you need to choose a new lead supervisory authority under the one-stop shop mechanism
Robert B.

Robert B.

Legal writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.