Did Brexit really kill the UK GDPR? A lot of people were confused (and rightly so) as the 31st of December came and went. What I’m going to do here is unpick the information on GDPR from all the confusion around the Trade Deal announced at the very last minute by the UK Government and the EU.
End of transition period predictions
The Transition Period (commonly called 2020) ended but in terms of GDPR, it was replaced by an “extended period” for personal data flows. It is known as a Bridging Agreement that will initially run for 4 months but can be extended up to 6 months. To say this was a surprise is understating it by a huge margin. Basically, UK-EU personal data flows can continue – for the moment – with no changes!
One reason for the surprise element is that there is no mention of the Bridging Agreement in the actual Trade Treaty document. Certainly not the one available from the UK web site. I only became aware of it through a response the ICO posted on their website.
The reason behind the extended period for personal data flows is to allow the EU time to come to an agreement regarding if the UK’s Data Protection laws provide an ‘adequacy’ to GDPR. This adequacy decision is very important to the UK. If the UK is deemed adequate, then UK-EU personal data flows can continue as normal. If it goes the other way, then things get rather messy for UK companies processing EU personal data.
I can make two predictions with a good degree of certainty and the third prediction with not so much certainty
- The extended, extended period (i.e. 4 months extended to 6) will elapse and there will be no adequacy decision
- There will be another “extended period” for personal data flows to keep things moving as they are
- The adequacy decision will be a political decision and may not reflect the opinion of the European Data Protection Board
The first prediction is an easy one as the EU tends to operate slowly. There are a number of things that need to happen before the adequacy determination process completes. These depend on different bits of the EU apparatus doing their bit but of course, they all have their own timetables.
The second prediction is also easy as it is an easy option. Of course, if the UK is in the middle of a trade dispute with the EU it might be used as a bargaining chip. I’m hoping the hiccup with the Covid-19 vaccinations was not a sign of things to come.
The third prediction is the one that I think may be 50/50. This is largely due to the Schrems II ruling which introduces some new considerations for the European Data Protection Board to consider when judging a 3rd country’s adequacy status. It’s down to how much access the state (in this case the USA) has to EU Data Subjects PII and the options available to the Data Subject should they wish to complain. A rough assessment of the judgement would say ‘all’ and ‘none’.
The problem for the EU with the Schrems II ruling is that if they were to evaluate the EU member states as 3rd countries there are quite a few who would fail. The UK was thought to be in this group with two other EU member states before Brexit.
The European Data Protection Board may judge the UK to not be adequate given the Security Services access to PII and the limited means of redress should a Data Subject wish to complain. Of course, this would be embarrassing for everyone which is why I think the EU Commission may override or ignore the judgement and make a political decision.
Whichever way the political decision goes will, of course, reflect the status of the UK-EU relationship at that point. Let’s hope there are no more trade hiccups between then and now.
How businesses can prepare for the adequacy decision
Regardless of the final scenario or case, organisations should give serious consideration to the following activities while we have this grace period before the adequacy decision is announced:
- Conduct an audit for EU personal data – check the data flow transfers to and from the EU and determine whether the processing activities are related to offering goods
- Identify Privacy Notices that may need changing– provide transparent information about your activities to your data subjects in your privacy notices
- Assess processing activities for potential improvement – a DPIA will help you understand the risks to the security and privacy of the data you process and decide ways to mitigate those risks
- Determine if you need to appoint an EU representative – if your organization will not have a base inside the EEA the EU GDPR may require you to appoint a representative in the EEA
- Identify data processing agreements with data processors – review all contracts with suppliers, service providers, and other parties in relation to EU and UK data transfers
- Determine if Standard Contractual Clauses are required – SCCs and for multi-nationals, BCRs supplemented by additional measures would be the appropriate safeguards for international data transfers should there be no adequacy
Efforts to prepare for the worst – will not be wasted
Data Processors in the UK are in an odd period at the moment. Brexit came and went with no immediate changes required. While a sigh of relief is understandable, there is a possibility that the UK is classed as a 3rd country at some point in the future. If this possibility does happen then a lot of the changes mentioned will be required rather quickly.
Being prepared for the worst-case scenario is in this case the optimum position. I’m saying that as the activities I suggested are what you should be doing. The preparation list is the best practice that allows for a DPO to better understand the datasets they control and or process. Even if the UK gets adequacy, none of the efforts would have been wasted.
Don’t play the odds – reduce them. If you need help getting prepared the Crew can help. We provide data protection services for both DPA and GDPR compliance, along with a DPO on-Demand option. Both services can be customised based on your company’s needs.