It’s a while since we looked at the state of data governance under GDPR. With the Brexit deal, we ask: where are we now?
As many commentators have pointed out, the Brexit deal isn’t as comprehensive as some might like. While it has successfully ensured that there are no tariffs and no quotas on goods flowing between the EU and the UK, the events of the last fortnight have certainly proved that there is more to international trade than tariffs.
Paperwork and compliance might be a new headache for the transportation of goods over what used to be invisible borders, but the situation for services is even more difficult. Although they constitute 80 percent of the UK’s economy, there is little in the deal to allow for the trade of services cross-border. It also has major implications for data governance.
Whether Brexit has any implications for your organisation in terms of fulfilling your responsibilities under GDPR comes down to one simple question: does your organisation hold data on any EU citizens?
If you hold only UK citizens’ data
If the data your organisation holds or processes relates only to UK citizens, then nothing has changed for you.
The GDPR passed into UK law on 25th May 2018. As EU legislation, it applied in the UK until the end of the transition period. Under the UK’s Brexit legislation, the conversion of EU-derived law into domestic law was not a given. However, the GDPR is one example of where an EU-derived law has continued on the UK statute book.
The Information Commissioner’s Office (ICO) remains the supervisory authority for GDPR in the UK. It states: “The processing of manual unstructured data and processing for national security purposes now fall under the scope of the UK GDPR regime. The UK GDPR is the UK General Data Protection Regulation. It is a UK law which came into effect on 01 January 2021. It sets out the key principles, rights and obligations for most processing of personal data in the UK, except for law enforcement and intelligence agencies. It is based on the EU GDPR (General Data Protection Regulation (EU) 2016/679) which applied in the UK before that date, with some changes to make it work more effectively in a UK context.”
If you hold EU citizens’ data
While little has changed in terms of the UK GDPR and the EU GDPR, there is a problem if you hold the data of EU citizens.
This problem issue arises because, under the current Brexit agreement, the EU does not recognise the authority of the UK supervisory authority (ICO).
ICO states: “You may need to comply with both the UK GDPR and the EU GDPR if you operate in Europe, offer goods or services to individuals in Europe, or monitor the behaviour of individuals in Europe. The EU GDPR is regulated separately by European supervisory authorities, and you may need to seek your own legal advice on your EU obligations.”
If you are holding EU citizen’s data, you have two options.
Option #1
First, consider whether you need to hold the data. If it isn’t essential to your current business operations, the best policy you can apply here is defensible deletion.
Option #2
If it is essential for your business to hold the data of European citizens, you need to be clear about how your data falls under the two jurisdictions. This will be even more important – and complicated – if the two regulatory regimes begin to diverge.
ICO says: “If you hold any overseas data collected before 01 January 2021 (referred to as ‘legacy data’), this will be subject to the EU GDPR as it stood on 31 December 2020 (known as ‘frozen GDPR’). In the short term, there is unlikely to be any significant change between the frozen GDPR and the UK GDPR.”
However, if it does happen, divergence will be a significant issue that will need careful management.
ICO recommends that firms put in place safeguards to ensure data can continue to flow into the UK through standard contract clauses.
The analyst firm Forrester has agreed that the lack of an EU adequacy decision is a risk factor companies must manage.
In its 2021 Predications on Privacy, Forrester stated: “Regardless of their headquarters location, companies that store and/or process the data of European citizens (customers and/or employees) in the UK will either need to physically move that data to another geography that provides adequate protection or include standard contract clauses (SCCs) in their contracts.”
The report went on to warn that the lack of an adequacy decision will impact the supply chain of all businesses that rely on technology infrastructure in the UK when dealing with European citizens’ personal data.
ICO provides a tool on its website that may help: https://ico.org.uk/for-organisations/guide-to-data-protection/introduction-to-data-protection/about-the-dpa-2018
If you need further help understanding how the law applies to your organisational data, then please get in touch with the Grant McGregor team. Our team is always on hand to answer your questions.