28 January 2019
Brexit and data protection
By Naomi Korn and Carol Tullo, OBE
The current Brexit impasse has implications for data privacy. The approach that Government ultimately takes, in aligning Brexit and GDPR, is important for us all. If the option of a “No Deal” Brexit happens, there will be a number of extra compliance measures that Data Protection Officers and/or Data Protection Leads working for those organisation transferring personal data to Europe or receiving personal data from Europe, will need to put in place to ensure that their organisations remain compliant with GDPR. As part of a raft of transitional secondary legislation tabled in December, the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 relate to the post Brexit GDPR position. 64 pages of amendments to the Data Protection Act 2018 and GDPR create in effect a “frozen” GDPR or what is called “UK GDPR”. While identical at present in the regulations, there is potential for EU GDPR and UK GDPR to grow apart over time. The UK’s Information Commissioner’s Office (ICO) has stated that GDPR will be transposed into UK law and has issued Brexit Guidance that reinforce the importance of putting basic steps in place. These include:
- Making sure that data flows between the UK and the EEA (European Economic Area) are mapped to ensure that there is an organisational knowledge about the data (including personal data) that is passing between the UK and the EEA, and how it is managed. This could be internal to the organisation or data transfers with third parties.
- Reviewing and amending privacy notices, policies and internal procedures to take account of any new requirements.
- Ensuring that staff, contractors, volunteers, students and others who work for or on behalf of your organisation, are aware of their roles and responsibilities.
More about the ICO recommendations can be found here: https://ico.org.uk/for-organisations/data-protection-and-brexit/
As a “No Deal” Brexit will also impact the transfer of data (personal data) from the EEA to the UK, UK organisations will most likely see an increase in GDPR compliance measures that colleagues from the EEA will expect from us, such as requirements to agree to more robust contractual terms as well as the provision of more evidence that UK organisations are compliant with their GDPR obligations.
Apart from the advice from the ICO, we would also recommend the following measures to start to prepare for the possibility of a “No Deal” Brexit:
- Using the advice about data transfers between the UK and the EEA to put in place more robust contractual agreements between the UK and EEA organisations.
- Amending and enhancing data security measures and procedures dealing with potential and actual data breaches.
- Reviewing data retention schedules and record management policies.
If you wish to learn more about this issue and others relating to your role as DPO or Data Protection Lead – we are running a Data Protection Officer Workshop on 8 February in London. More details here or by contacting Patrick at firstname.lastname@example.org
© Naomi Korn Associates, 2019. Some Rights Reserved. The information here is licensed for use under a Creative Commons Attribution Share Alike Licence (CC BY SA)