Rachael Eyre seems to be on the information safety implications for UK regulation companies post-Brexit.
On 1st January 2021 the Transition Interval ends, and the UK is not topic to EU Regulation*. This contains the GDPR.
From subsequent 12 months the GDPR can be integrated into UK regulation and turn into the UK GDPR and, for the principle half, be the identical. There can be some tweaks round reporting establishments and the ‘one cease regulatory store’ will stop. This might result in double fines.
Moreover, the EU /US Privateness Defend has been discovered to not present adequate safety for private information within the Schrems II choice.
The Challenges
The primary change for organisations is the place private information is transferred into out or of the UK. There are a number of completely different classes:
Private information transferred to the EEA or a rustic with an Adequacy discovering
UK organisations can proceed to switch private information to those international locations as earlier than as they’re deemed secure underneath the UK GDPR.
Private information transferred to a rustic outdoors of the EEA and with out an Adequacy discovering (together with the USA)
For these international locations, you will have a secure mechanism. At the moment out there secure mechanisms are:
- Binding Company Guidelines (BCR) – efficient inside your individual organisational construction and have to be authorised by a supervisory authority (such because the ICO).
- Normal Contractual Clauses (SCC) – these need to be integrated of their entirety and with out modification. Organisations ought to be sure that the SCCs are sufficient or add supplemental clauses to the remainder of the contract the place extra is required. SCCs are underneath assessment within the EU and UK.
Private information transferred to the UK from the EEA or a rustic with an Adequacy discovering
The UK would be the equal of a 3rd nation, so any organisation sending private information will want SCCs or BCRs.
The place you supply good or companies to people within the EEA however haven’t any workplace or institution within the EEA
On this case you will have to nominate a European Consultant. They act as a contact level between you and your shopper / buyer and between you and the supervisory authority (equal of the ICO) within the EEA. It may well even be deemed that you’re providing items and companies to people within the EEA in case your web site interprets right into a European language, otherwise you supply supply there. There are lots of organisations all through the EEA (and within the UK) set as much as supply this service economically.
What about Adequacy?
The UK is negotiating an Adequacy discovering, this will likely not occur as there are difficulties round The Investigatory Powers Act and The Inner Markets Invoice. So, whereas the UK will keep carefully aligned to the EU GDPR, it’s not sure there can be an Adequacy discovering, making SCCs and so on necessary.
What concerning the Privateness Defend?
As with Protected Harbour in 2015, Shrems II has confirmed the Privateness Defend to be insufficient safety. In any occasion, it’s an EU / US Privateness Defend, so leaving the EU the UK have been not protected by it. Different mechanisms will have to be utilised.
Issues to do earlier than 1st January 2021
- Examine your information flows – are you sending something outdoors of the EEA and Adequacy international locations?
- If sure, Switch Affect Evaluation – like a Information Safety Affect Evaluation however concentrating on the international locations you’re sending to. Examine your mechanisms are sufficient submit leaving the EU and submit Schrems II.
- In case your mechanisms will not be sufficient, then you want to take a look at Binding Company Guidelines (if inside your individual organisation) or Normal Contractual Clauses if not. This contains something that was beforehand underneath the Privateness Defend. It’s possible you’ll have to put extra phrases in your information safety provision to make sure the SCCs are sturdy sufficient.
- If you’re receiving private information from an organisation within the EEA / Adequacy nation you will have to make sure that your contract contains an sufficient mechanism for switch, akin to SCCs or BCRs.
- If you’re providing items or companies within the EEA and do not need an workplace or institution there, appoint an EU Consultant.
The longer term?
There could also be an Adequacy discovering, which is able to make transfers simpler.
The European Information Safety Board is because of launch additional pointers. Whereas the UK gained’t be certain by them, it’s possible the UK will keep aligned.
Different mechanisms, akin to customary information safety clauses adopted by the ICO, authorised codes of conduct along with binding and enforceable commitments of the receiver outdoors of the EEA and certification underneath an authorised certification mechanism can be adopted by each the EU and UK. SCCs are additionally underneath assessment in each jurisdictions and anticipate up to date ones in 2021.
For those who want additional particulars, the ICO has plenty of resources, together with checklists and self assessments. You can too contact us if you’re a regulation agency involved about conserving your information flowing.
*this be aware is predicated on the envisaged ‘non negotiated final result’ or no deal state of affairs. If a deal is struck with the EU within the meantime, we’ll replace this be aware as essential
