Impact of Brexit on GDPR applicability in the United Kingdom

11/24/20

Handling of personal data

The consequences of Brexit are getting closer as we approach the end of the year. As many know, the transition period will end on 31 December 2020. It is still not completely clear how the trade relationship between the European Union (EU) and the United Kingdom (UK) will look like after the transition period. In any case, the UK will become a third country for the EU. This means that the General Data Protection Regulation (GDPR) will no longer be applicable in the UK from 1 January 2021. This means that personal data can no longer be transferred to the UK on the basis of the GDPR from 1 January 2021.

Adequacy decision

Personal data is not protected everywhere in the world at a level that we are used to in the EU. Within the EU, one set of rules applies: the GDPR. That is why it is possible to process personal data or to have it processed in, for example, Finland or Cyprus. Different rules apply for transfers to a country outside the EU. Third countries are all countries outside the EU with the exception of the countries in the European Economic Area (EEA). Iceland, Liechtenstein and Norway are within the EEA. Transfer of personal data from the Netherlands to a third country is in principle only allowed if the third country offers an adequate level of protection. The European Commission can take an adequacy decision if a third country provides an appropriate level of data protection in national law. This means that the European Commission has determined that the country offers a comparable level of data protection as the GDPR does. The list of countries with an appropriate level of protection can be found here. Since the UK will soon qualify as a third country, the EU can designate the UK as a safe country with an adequacy decision. The EU thus determines that a third country offers an equivalent level of privacy protection as the EEA. However, it is unlikely that this decision will be taken before the end of the transition period.

No-deal Brexit without an adequacy decision

If no adequacy decision is taken before the end of the transition period, this will have consequences for organisations. Should the transition period expire without further agreements being made, organisations will not be able to ensure that the data transfer to the UK complies with the GDPR rules that currently apply to third countries on the basis of an adequacy decision. Standard Contractual Clauses (SCC) and Binding Corporate Rules (BCR) may then be able to provide a solution to enable the transfer of personal data.

Standard Contractual Clauses (SCC)

The SCC are in fact model contracts approved by the European Commission and provide the additional, contractual safeguards for data protection when personal data is transferred from the EEA to a third country. However, SCC cannot be used just like that. Since the Privacy Shield was invalidated, an assessment is needed of the privacy risks that may arise when public authorities of the country to which the data is transferred gain access to personal data and how such risks can be mitigated. Based on the result of the risk assessment, additional technical and organisational measures may be necessary. To overcome the privacy risks, contractual, technical and organisational additional measures such as certifications, encryption or guarantees may be used, in which the suitability of the measures taken by the data importing party has been assessed. If these measures prove not to be feasible in view of reducing risks, the transfer of personal data may not take place. The European Data Protection Board has drawn up a guideline setting out how to identify and assess the risks of third countries. It contains a non-exhaustive list of additional contractual, technical and organisational measures that could mitigate these risks. In addition, draft SCCs have been submitted for consultation to the European Commission. It is expected that new SCC will be introduced in the foreseeable future. It is important to keep a close eye on these developments.

Binding Corporate Rules (BCR)

Binding Corporate Rules (BCR) is the policy of a group of companies for the protection and internal sharing of personal data. Within the group, appropriate safeguards are provided for the transfer of personal data within and outside the EEA. If you are already using BCR, we recommend that you check whether the UK privacy regulator (ICO) has been designated as the lead supervisory authority. A new lead supervisory authority should then be designated for the BCR. This new lead supervisory authority will consider on a case-by-case basis with the other relevant supervisory authorities whether it is the most appropriate lead authority.

If you do not yet use BCR and want to enter it, the Dutch Data Protection Authority (AP) must first approve it. However, AP chairman Aleid Wolfsen has recently indicated that there is a waiting period of five to seven years for this. For this reason, BCR do not offer a short-term solution, but it is a robust long-term solution for multinationals that want to share personal data with offices around the world.

Preparation Brexit-GDPR

There are a number of steps your organisation can take to prepare for the consequences of a no-deal Brexit:

1. Make an inventory of the processing activities of your organisation and the sub-processors involved in transferring personal data from the EEA to the UK.

2. Determine how you can proceed with the transfer of personal data to the UK (you may be able to do this by using Standard Contractual Clauses or Binding Corporate Rules).

3. Record internally on the basis of which the data will be transferred to the UK.

4. Adjust your privacy statement to inform your data subjects.

Take part in our webcast

As part of our State of Tax series, we are organising the English language webcast 'Ready for Brexit' on 2 December. In it, PwC Brexit experts will update you on the necessary preparations in the areas of trade and goods, taxes, employees and legal aspects. The topic of GDPR is also discussed here. Register here.