Could a no-deal Brexit make your business GDPR non-compliant?
A day before Theresa May announced that she arrived at a Withdrawal Agreement with the EU Council, the European Commission published the second of its Contingency Action Plans (EC COM (2018) 880), setting out its proposals to mitigate against any potential “no deal” disruption (the “Communication”).
The Communication emphasises that businesses have responsibility for preparing for Brexit, including preparation for a hard or no-deal Brexit. The Communication proposes that contingency plans must be put in place in a number of key areas, including for personal data transfers. Currently, as a member of the EU, free flows of personal data to the UK from the EU are permitted. Once the UK ceases to be a member of the EU on 29 March 2019, it will become a “third country” for the purposes of data protection. This means that free flows of personal data of EU residents from the EU to the UK will not be permitted pursuant to the rules on international transfers under the EU General Data Protection Regulation (GDPR).
Many hoped that the European Commission would provide the UK with an Adequacy Decision which would have continued to allow the free flow of data after Brexit. However, the Communication appears to thwart this hope by declaring that an Adequacy Decision is not part of the Commission’s contingency planning.
Instead, the European Commission directs contingency planning efforts to the “Appropriate Safeguards” provided for under the GDPR, including standard contractual clauses, binding corporate rules, explicit consent, performance of a contract and exercise of legal claims.
In light of the Communication, businesses should start planning for the particular Appropriate Safeguard they will need to rely on to transfer EU resident data to the UK after Brexit.
This will be particularly critical for businesses who have operations across the EU, including for shared services. Failing to have Appropriate Safeguards in place risks them making a "non-compliant" international transfer. That in turn puts them at risk of a GDPR fine, which can be up to 4% of global annual turnover (or €20 million, whichever is greater) from the EU’s data protection authorities.
For more information on how to prepare, please contact:
Natalie Semmes - Partner, BPM Practice Lead, Tech Solutions
Rachel Tracey - Director, FS Tech Consulting Data Co-Lead
Mark Thompson - Global Privacy Lead
Leanne Allen - Director, FS Tech Consulting Data Co-Lead