What does Brexit mean for personal data under GDPR

in Advisory, 12.02.2019

As the uncertainty around Brexit continues, questions remain about the future of personal data. What precautions must be taken before sending data to the UK? With firms still adjusting to the GDPR, planning for data transfers following Brexit presents yet another challenge. In this article we will look at what to do if the withdrawal agreement is passed, and if it’s not—resulting in a “no deal” Brexit.

For more guidance on this topic from the CNPD, read this article (French).

Scenario 1: the withdrawal agreement is ratified

No action required.

If the withdrawal agreement is passed, then the EU data protection rules will continue to apply in the UK during the transition period (30 March 2019 to 31 December 2020). In this case, concerned institutions will not have to apply any specific additional procedures if they engage in transfers to the UK after 29 March 2019.

After the end of the transition period, the agreement foresees that the UK will continue to apply the EU data protection rules until the EC issues an “adequacy decision”. An adequacy decision means that, following the evaluation of the UK data protection rules, the EC considers that the level of protection is equivalent to the EU rules.

Transfers should in any case comply with all other requirements and general GDPR principles.

Scenario 2: a “no deal” Brexit

Action very much required.

In the event of a “no deal” Brexit with no adequacy decision from the EU, the UK will be considered a “third country” under the GDPR as from 30 March 2019. Concerned institutions should comply with the rules per chapter V of the GDPR, which governs the transfers of personal data to third countries.

What does this mean? In the absence of or until an adequacy decision from the EU is approved, concerned institutions should implement at least one of the safeguards foreseen in Article 46 of the GDPR:

  • Standard Contractual Clauses (SCC) adopted by the EC or contractual clauses agreed upon between relevant parties and approved by the Supervisory Authority)
  • Binding Corporate Rules (BCRs), which are applicable mainly to intragroup data transfers; to be valid they have to be validated by a lead Supervisory Authority
  • Compliance with a code of conduct (validated per Article 40) or certification mechanisms (established in Article 42)

Alternatively, one could make use of the derogations per Article 49 of the GDPR, bearing in mind that such derogations / exceptions may not become a rule.

In the absence of appropriate safeguards or use of a derogation, transfers to the UK will be prohibited.

In a “no deal” Brexit, how can data be legally transferred to the UK?

Considering that it is not feasible that an adequacy decision will be adopted by the EC before the end of March 2019, institutions should evaluate which of the safeguards above is the most relevant, and ensure that it is in place by 30 March 2019. Due to the short timeframe, organizations that have not yet been working under a “no deal scenario” should start this process now.

The most appropriate safeguard, considering the very short timeframe, is the implementation of the Standard Contractual Clauses (SCCs) adopted by the EC. These clauses have to be tailored to the specific data transfers and have to be signed off by the financial institution and the third party (intragroup or not) in the UK.

Concrete actions that can be taken now:

  • Review the record of processing activities and confirm that all data flows with the UK are documented.
  • Ensure that the SCCs are aligned with the record of processing activities.
  • Agree on and sign the SCCs with the third parties concerned.
  • Assess the technical and organizational measures put in place and determine whether they are sufficient considering the risks and specific case (not forgetting that SCCs are only a legal mechanism).

For more information, please contact me or visit our webpage.

Leave a Reply

This blog is pre-moderated which means that all comments are reviewed by a moderator before they appear. KPMG reserves the right not to publish any comments made.