Getting your data ready for Brexit
The General Data Protection Regulation (GDPR) came into force on 25 May 2018 and unifies data protection law throughout the EU. It gives individuals control over their personal data and requires businesses and other organisations to put in place processes that protect and safeguard that data. The regulation also addresses the transfer of personal data outside the EU and EEA.
Dealing with third countries
This aspect of GDPR is now coming into sharp focus as a result of the UK’s decision to withdraw from the EU. GDPR still applies in the UK, however, once the transition period ends, the UK will become a third country subject to the GDPR rules governing the transfer of data outside the EU and EEA.
For Irish companies transferring data to the UK, it will be the same as if they were transferring it to India or Brazil. This will require them to put in place additional safeguards in accordance with GDPR requirements.
Key steps to ensure you are GDPR compliant
The first thing for firms to do is to establish exactly where their data goes. They should already have done this following the enactment of GDPR, but it is worthwhile taking another look in light of Brexit.
Companies may not realise that their cloud storage provider is actually located in Britain or Northern Ireland. Their pension schemes, payroll, healthcare plans may all be run out of the UK and involve the regular transfer of personal data. Workplace benefits databases could also be held in Britain or Northern Ireland. Even translation services might be covered if personal data is included in the material to be translated.
Having established that data is being transferred to the UK, the next step is to decide if that needs to continue. There may be options to look for another service provider in Ireland or another EU Member State and these should be explored.
Standard Contractual Clauses
If it is not possible or if it is too difficult to take this option, there is a ready solution to hand. There is a tool that can be used to solve this problem and it is available on the Data Protection Commission website. It is known as the standard contractual clauses (SCCs). This is a set of off-the-shelf clauses developed by the European Commission and which are recognised as an appropriate safeguard to ensure that firms remain compliant with GDPR.
The SCCs are already written and only require firms to fill in the blanks with their details. They can be appended to existing contracts and come into force when both parties sign them. Once signed, this enables firms to continue transferring data to the UK in full compliance with GDPR, and people still have their rights.
The data subject is also given certain specific rights under the SCCs even though they are not party to the relevant contract.
Firms are also advised to update their privacy statements to indicate that the data is transferring to the UK under the terms of the SCCs.
For a detailed explanation of the standard contractual clauses, visit the Data Protection Commission website.
The SCCs will cover most situations, but there are certain more complex cases where they may not apply. These are relatively rare, but firms in doubt should consult the Data Protection Commission website or seek their own legal advice to check out their particular situation.
There are also certain situations where the data transfer is not covered by contract. These include cases where data is being transferred from a UK Controller to an Irish processor for processing and then transferred back to the Controller. This has been a relatively routine process up until now, as the data remained within the EU at all times. The best advice for firms based in Ireland who find themselves in this situation is to look at the clauses within the SCCs and insert them into the service level agreement governing the activity. This will demonstrate an intention to be GDPR compliant in the new situation.
The same will apply to Irish shared services centres carrying out global back and middle office functions for multinational parents. They should update the terms of service to UK-based affiliates to include the SCCs.
Data Protection Policies
Most larger companies will already have systems in place to deal with the data implications of Brexit, while companies accustomed to sending data outside of the EU and EEA will also be prepared for it.
Some very large organisations use what are known as Binding Corporate Rules (BCRs). These are legally binding internal codes of conduct operating within a multinational group, which applies to transfers of personal data from the group’s EEA entities to the group’s non-EEA entities. The approval of BCR’s can take a significant period of time and also, given the cost and complexity of BCR’s, they are not a suitable transfer tool for most Irish companies.
The only remaining questions for Irish firms transferring data to the UK concern adequacy. Certain ‘third countries’, such as Japan, have received what is known as an ‘adequacy decision’ from the European Commission. This allows a crossborder personal data transfer from the EU to that country, because it has been determined to have an adequate level of data protection safeguards compared to the EU. If the UK does leave with ‘no deal’ after any transition period, it could take some time before the European Commission completes its negotiations with the UK Government in order to deem the UK adequate as a jurisdiction to which data can be transferred under GDPR. Therefore, companies need to explore the options available to them when transferring data to the UK either immediately in the event of a no deal or at the end of any transition period.
Learn more about getting your data ready for Brexit with our webinar with Nicola Coogan from the Data Protection Commission.