In Part 1 of our series on Brexit, we saw that Brexit definitely did not kill GDPR. In fact, it split GDPR into two:
And, as just one practical difference, we saw how this multiplies your potential liability for huge fines in cases of breach.
We’ll cover this and other practical Privacy aspects from Brexit in this post, Part 2 of our Brexit series. You can watch the accompanying video: Top 4 Brexit Impacts on your GRPR Program, which is part of Privacy Kitchen – FREE video help with GDPR and all things Privacy. If you’re new to Privacy Kitchen, please do check it out here – and click subscribe and notify to hear about awesome Privacy Kitchen videos.
So, sit back, grab a cup of coffee and stay with us because at the end we’ll share some Bonus Tips that’ll help you win business in 2021 and beyond and help you put in place measures to take care of Brexit.
So what does Brexit mean for your Privacy program?
Well, the easy part: nothing changes until the end of 2020.
We saw in Part 1, Did Brexit kill GDPR?, that EU GDPR will no longer be direct law in the UK from 1 January 2021. But until there’s a European adequacy decision in favour of the UK, the UK has to continue applying it to personal data that’s been transferred to UK entities from the EEA before the end of 2020. We call this ‘EEA Legacy Data‘. The government calls it ‘stock data‘, but we think ‘EEA Legacy Data’ is a bit clearer.
We also saw that the UK has already enacted laws to create a twin UK GDPR as from 1 January 2021 and that those changes are almost literally limited to replacing the EU with the UK and removing references to EU oversight.
But what’s this mean to you?
Well, if you are a UK organisation, you absolutely haven’t interacted with Europe in any way, aren’t going to interact with Europe in any way, it may well be you’re just going to be covered by the UK GDPR.
But if you have been dealing with Europe or you continue to deal with Europe, maybe you’ve got a subsidiary there, you sell to individuals there, you monitor individuals there, then there’s a very good chance you’re going to be subject to both the UK GDPR and the EU GDPR.
And for people who are outside the UK and the EEA anyway – say, for example, the USA – you’re going to have to look at the two territories separately: EEA and the UK, and you’re potentially going to have to comply with both GDPRs.
Okay, now, for 4 big practical effects of having the two laws.
The first impact is the potentially massive multiplication of regulatory risk or fines – something UK Ltd’s Boards of Directors should be very worried about.
The UK GDPR’s fine structure is identical to the EU GDPR’s with the €20m euros part replaced with £17.5m. That ‘4% of global turnover if higher’ still is there.
You still need to record all breaches, and you still need to notify certain breaches to the UK ICO and certain ones to the individual. But because of Brexit, unless there’s a new agreement put in place, the UK can’t make use of consistency mechanisms, the One-Stop Shop, etc. These are the mechanisms that mean if you have a breach affecting several countries in the EEA, one country’s regulator will take point and investigate it and fine on behalf of everybody else.
Unless an agreement comes into place otherwise, if you have a data breach in 2021 or beyond, you may well have to notify all of those EEA regulators and be subject to investigations by all of them, and potentially fines from each of them, as well as a fine and investigation from the UK ICO.
Now, let’s not run away with fear. But let’s recognise that that risk is there – and stick around for the Bonus Tip to help address this.
The second big practical difference, or group of differences, is around transfers.
A ‘transfer’ is when personal data goes outside, or is accessed from outside, the jurisdiction of the law. Now, the jurisdiction of the law for the EU GDPR is the EEA and the jurisdiction of the law for the UK GDPR is the UK. You’ll still deal with transfers in the same way – in practice, that’s adequacy decisions first and, if not, Standard Contractual Clauses – but the jurisdiction and the geographic area has changed, and there are two main impacts.
First, when you transfer personal data outside the UK to a processor or another controller, you’ll need to identify the safeguard for that transfer like the Standard Contractual Clauses and adequacy decision – but under the UK GDPR.
If you have to comply with the EU GDPR, you’ll be looking at that for transfers out of Europe. So you’ll need to record these adequacy decisions (or have these Standard Contractual Clauses in place) for potentially both GDPRs depending on where you’re exporting the data from.
From 1 January 2021, the UK essentially just takes everything from the EU GDPR, so we can rely on all those adequacy decisions, we can use the EU Standard Contractual Clauses. You don’t need to make any changes to what you’ve already got in place now.
Then you’ll need to record these transfers outside the UK correctly in your Article 30 records for UK GDPR. If you’re also transferring outside of the EEA, you’ll have Article 30 records for the EU GDPR, so you’ll have two slightly different sets of the same type of record.
The next group of practical effects is all about people. Each organisation will need to review whether they need a DPO, a Data Protection Officer, under the UK GDPR and a UK Representative.
Now, EU GDPR has the requirement for a DPO in certain circumstances and an EU Representative in certain circumstances – and the rules are identical. So do have a look at our ‘Do I need a DPO?‘ and ‘Who can be DPO?‘ videos, they equally comply under UK GDPR.
What this does mean is some organisations will be doubling up.
Last, but by no means least, you’re going to have to review all of your Privacy documentation and documents that touch Privacy from Privacy Policies to DPIAs – Data Protection Impact Assessments – your Processing Agreements, Joint Controller Arrangements, etc. You’ll need to see how these need changing to take account of these two almost identical but different laws. It may be a reference change in some, maybe more in others.
And you’ll have to do all of this, taking into account if you’ve got any EEA Legacy Data to which the EU GDPR still applies until there’s an adequacy decision.
And now that Bonus Tip, and it sounds again like we could do with one – so, again, we’ve got a few.
First, make sure your Privacy Governance is principles-based so that your Privacy Framework, everything you do, reflects the principles in the EU GDPR. The principles are identical in the UK GDPR. That way, all of your policies, all your procedures, training, awareness, reporting structure – everything you’re looking out for – will be applicable to both, with a few tweaks on the procedures that are impacted.
Now, if you’re in the UK and have EEA customers, do prepare for no adequacy decision by the end of 2020. It’s quite simple. Have the EU Standard Contractual Clauses ready to go as of 1 January 2021. They’re easy to put in place – you can’t actually negotiate them, you just fill in the blanks and describe your security. Now, obviously you have to comply with them, which we’ll assume you do, because the GDPR already applies here in the UK. This will mean that the EU GDPR effectively is imported with data that you receive and applies to your processing of that data.
Next is to make those SCCs part of the same document as your general Processing Agreement, into a nice, complete Data Processing Addendum.
And if you have one or more EEA establishments – and that is defined very broadly, we’ll look at that too – do consider making one of them the controller of personal data for data subjects in the EEA.
This cannot be lip service, it does mean they’re meant to be in the driving seat for determining the purpose and means of processing EEA personal data. But if you can do it, it means your UK presence should be largely ring-fenced from that risk of multiple fines that we talked about because that EEA establishment will be your main actor in Europe and will be able to benefit from the One- Stop Shop and consistency mechanisms we discussed.
So there you go! A quick run through Brexit and GDPR and what it means for your Privacy compliance practice. It’s more important than ever to have principles-based governance in place.
Please do contact us to see how Keepabl can save you time, money and stress on GDPR and do use #privacykitchen to let us know other topics and questions you want covered.
Stay well in the meantime, and I look forward to seeing you in Privacy Kitchen soon!
Breach of the Principles can lead to the highest fine under GDPR, namely the higher of 4% of global turnover or €20m under EU GDPR, £17.5m under UK GDPR. That’s…