Brexit & Data Protection: Deal vs No Deal
Currently there is a lot of uncertainty and worry about Brexit, and whether we will be able to secure a last-minute deal or face the prospect of a No Deal. The implications of a No Deal would be felt across all industries, not just the survey industry, so most businesses will be currently exploring what they can do to minimise its impact and disruption should it become a reality.
Subsequently, in the lead up to the historic 31st October Brexit deadline, we will be publishing a series of short articles to examine how it could affect the online survey industry and more specifically its potential impact for data protection, data collection and data security.
We’ve sat down with our data collection expert to give you some answers and clarity about what we consider to be among your biggest concerns.
In this first in a series of three, we will be examining data protection issues in a bit more detail, particularly the impact of how this applies to the flow and transfer of data from the UK to the EU, and from the EU to the UK, and what could happen in the event of a No Deal.
Before we begin, it is also important to point out that these answers represent the current opinions of our data collection expert and shouldn’t be construed in any way as offering actual legal advice.
a) What impact do you think leaving the EU will have on data?
This will depend on whether we secure a deal. In the event of a No Deal, we will need to consider the impact on data flows both from the UK to EU and from the EU to the UK.
Data flows from UK to EU: in this instance the data flow will be subject to transfer rules created by the UK government, which are currently anticipated to mirror those governed under the General Data Protection Regulation (GDPR).
The UK government has confirmed that personal data transfers to the European Economic Area (EEA), will not be affected and the EEA will be subject to an “adequacy decision” by the UK. Essentially an “adequacy decision” by the UK permits a data transfer to the EEA as the EEA is deemed to have adequate measures for the protection of data.
Data flows from EU to UK: in this scenario the data flow will be affected, as a result of the UK no longer being an EU member state.
EU organisations that are data controllers will need a lawful way to transfer data to the UK. Currently the simplest and most common way for an EU data controller to do this is to enter into a Standard Contractual Clause (“SCC”) with that organisation outside of the EU. The SCC is a model agreement created by the EU for an EU organisation to transfer their data legally to a country outside the EU, if that country has not been granted an adequacy decision or there is no other lawful basis for transferring (such as binding corporate rules or it is a USA based-organisation that has signed up to Privacy Shield).
A case for keeping everything in the UK: in anticipation of the challenges concerned with transferring data across borders, best in class providers typically host all their data on UK-based servers. With this hosting arrangement, it eliminates any concerns about trans-border data flows, as all the data will now be subject to the same rules.
b) What do businesses need to be aware in the event of a No Deal, particularly with regards to their data?
Businesses need to ensure there is a lawful basis for the transfer of personal data coming from the EU. This data can be very extensive and can include a wide and varying mix of personal data from employees, customers and suppliers. You would also need to consider that there may be a different lawful basis for different types of personal data.
Businesses will also need to ensure that data transfers from the UK have a lawful basis, but as we already discussed earlier data transfers to the EEA will be fine. The UK government has also expressed that third countries that have an EU adequacy decision, will also be conferred an adequacy decision by the UK. However, it is not clear how this will affect Privacy Shield and whether the UK will have its own Privacy Shield or honour the current USA-based organisations that have it.
Whatever the outcome, any documentation related to this such as the Data Protection Policy and Privacy Policy, will need to be revised to take this into account. In addition, a data privacy impact assessment should also be carried out to discover the extent of these changes to the organisation.
Finally, it is also good practice for employees to receive training on how this change will impact them.
c) How can businesses work with software vendors and providers to prepare for a No Deal scenario?
They need to ensure that international transfers of personal data between the EU and the UK are legal in accordance to both rules (EU and UK). They also need to think about whether they should enter into a Standard Contractual Clause (“SCC”), prior to the planned date for the UK to leave the EU.
They could also consider working with an alternative software partner. Best in class providers were already working on ways to simplify their data flow process, while ensuring their compliance well in advance of the General Data Protection Regulation (GDPR) act’s introduction in May 2018. The best of these have evolved to provide a 100% UK based team and data storage on UK based servers, so their customers no longer need to worry about GDPR, European Privacy Laws or the outcome of Brexit.
d) As the future can’t currently be predicted. What would you recommend to a business looking to implement a new software solution?
A business needs to understand where their software provider is transferring data to and to ensure that provider has done the necessary preparation for a No Deal Brexit. This needs to include a detailed consideration of its potential impact, along with planned or already implemented solution for dealing with a No Deal Brexit.
Following on from today’s look at data protection issues, next week’s piece will explore data collection and how it applies in the GDPR world, so do make a note to check back with us then.
Disclaimer: This article post does not constitute legal advice nor does it guarantee compliance with any legislation including GDPR. It is only intended as background information to supplement your knowledge and awareness. We recommend you obtain the advice of a suitably qualified individual for guidance and ensuring compliance.