No deal Brexit implications for Data Protection - PwC comments on the latest statement from the Department of Digital, Culture, Media and Sport
18 September 2018
The Department of Digital, Culture, Media and Sport (DCMS) published a guidance note on 13 September 2018 on the potential implications for data protection in a ‘no deal’ Brexit scenario. There weren’t any great surprises in the guidance, which concludes that if the UK is not given “adequacy” status then post Brexit UK data importers will need to rely on established mechanisms to legitimise data transfers from the EU, such as EU standard contractual clauses.
Content of the guidance
The guidance confirms that although “it is an unlikely scenario that the UK will leave the EU without an agreement” the government recognises that as we get closer to March 2019 it should provide technical notices to provide guidance on potential implications to assist businesses to make plans and preparations.
Data protection legislation
Current data protection legislation in the UK is set at an EU level by the General Data Protection Regulation (EU) 2016/679 (‘GDPR’) and the recent Data Protection Act 2018. The Data Protection Act 2018 will remain post Brexit and GDPR will be incorporated into UK law due to the European Union (Withdrawal) Act.
The main area for focus identified in the guidance is the restrictions on transfer of data outside the EU. Personal data can only be transferred outside the EU/ EEA to another country (third country) where there is a lawful basis for such a transfer e.g. EU standard contractual clauses. Data can also be transferred to a third country where there is an adequacy decision already in place.
Transfers to third countries
After 29 March 2019, in a scenario where no deal has been achieved between the EU and the UK, the UK will be considered a ‘third country’. The guidance makes reference to the fact that, though this would remain under review, the UK would continue to allow personal data to be freely transmitted from the UK into the EU in recognition that the legislation is so closely aligned .
Transfers from the EU to the UK could result in organisations facing challenges to lawfully transfer personal data where the UK is the Importer. Transfers of data to third countries are permitted where such countries have been deemed by the EU to have “adequacy “status where local legislation meets the same high standards of the EU. The European Commission has indicated that the decision on adequacy for the UK can only begin once the UK has become a third country and no indication has been given on when discussions will begin.
There are substantial reasons to be optimistic that a positive outcome will be achieved. This is because the totality of the data protection legal framework needs to be considered, and in this sense the UK already has a high standard for data protection.
If however no “deal” can be made to cover transitional arrangements prior to “adequacy” being granted then additional transfer mechanisms such as standard contractual clauses may be required and this is identified in the guidance as the most relevant alternative for most organisations.
What should you be doing now?
A lack of adequacy decision should not result in panic. Though the guidance understandably references standard contractual clauses as the most relevant alternative legal basis to transfer personal data, it will be important for organisations to assess whether they may be able to rely on other methods, such as binding corporate rules (BCR).
As detailed above and also in the guidance, there are alternative mechanisms which an organisation may be able to rely upon. With six months to go, we recommend you start preparing now to help put your organisation in the best possible position. This will include understanding your exposure, by considering issues such as:
- What will your cross-border data flows look like with the UK and EU?
- Are these data transfers intra-group or with third parties?
- How critical are these transfers to your business?
- What are your contractual obligations?
- What alternative mechanisms for cross-border data flows are available to you?
It may also include assessing how this preparation can be built into your broader Privacy Transformation programmes and how you can be proactive in your decision making, mitigating any risks which may arise where possible.
There are in addition a number of other areas which may be impacted by Brexit including determining lead authority, impact on existing BCR authorisations, appointment of an authorised representative, and DPO appointments.
If you would like to know how PwC can help you with your strategy for transferring personal data in a ‘no deal’ scenario, and other preparations for Brexit, please contact Stewart Room, Global Head of Cyber Security and Data Protection Legal Services & UK Data Protection National Lead.
See also PwC’s previous opinion (https://www.pwc.co.uk/press-room/press-releases/european-commission-data-protection-notice-brexit-adequacy.html.)