GDPR and Brexit – is your company prepared?
In the event that the UK leaves the EU on 29 March 2019 without a deal, UK businesses will need to ensure they continue to be compliant with data protection law. For UK businesses that operate internationally or exchange personal data with partners in other countries there may be changes that need to be made ahead of the UK leaving the EU to ensure minimal risk of disruption.
It is important for businesses to review whether they would be affected. For those that would be affected, early action is advised as changes may take some time to implement.
How personal data currently moves across border:
- Personal data is protected by the GDPR (General Data Protection Regulations). This gives individuals rights over their data: to know who has it, to correct it, to delete it, to move it etc.
- The GDPR says that data can only be moved across borders if equivalent protections exist in the country where the data is going
At present personal data can cross borders as follows:
- Where it remains in the EU (because all EU countries must apply GDPR)
- Plus EEA states: Norway, Iceland, Lichtenstein, and other UK territories like Gibraltar
- Countries where the EU Commission has determined there are adequate protections: Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the United States of America (limited to the Privacy Shield framework) as providing adequate protection
- If none of the above apply, such as when personal data is sent to India or Australia, then the data can only be sent where there are “standard contractual clauses” (SCC) or “binding corporate rules” (BCR)
- SCC and BCR essentially extend the GDPR rights to data moved to a third country jurisdiction
- To note: SCC only covers certain data transfer relationships and BCR only cover data transfer within a single company
What personal data crosses borders?
A lot of personal data crosses borders every day. When speaking to a call centre in another country or buying goods or services online, personal data has often moved to another jurisdiction.
Many services are outsourced internationally and can involve personal data processing:
- Customer services
- Billing and accounts payable and receivable
- Payroll
Many business-to-business services operate in the Cloud, and this may be operating across borders. For example:
- Google does not have a UK data centre, with much UK data likely held in Dublin
- Facebook does not have a UK data centre, with much UK data likely held in Dublin
- Amazon Web Services have a UK data centre but this is relatively new, and much will be Dublin, Frankfurt and Luxembourg
- Microsoft have UK data centres among over 100 globally
Some sectors, by their very nature, involve cross-border data. For example:
- Financial sector – international payments etc.
- Life Sciences – the global nature of medical research
- Transport – passenger data
What do businesses need to do?
They need to understand their data flows. Do they have affected cross-border personal data flows? Have they put in place Standard Contractual Clauses or Binding Corporate Rules?
The government published advice for business in September, click here for the information.
The ICO (Information Commissioner’s Office) provides good information:
ICO Leaving the EU Six Steps (https://ico.org.uk/media/2553958/leaving-the-eu-six-steps-to-take.pdf)
ICO tool for working out if SCC will work for you (https://ico.org.uk/for-organisations/data-protection-and-brexit/standard-contractual-clauses-for-transfers-from-the-eea-to-the-uk-interactive-tool/)
More information on all British Marine’s work to date on the EU exit negotiations, along with a range of guidance documents, is available to members on the British Marine website.
