What does Brexit mean for your organisation’s data protection?
12 April 2017
We are at an interesting juncture for data protection laws in the EU, with the impact of Brexit on their future in the UK remaining to be seen. From May 2018, EU data protection laws, including the current UK Data Protection Act, will be overhauled by a new EU-wide General Data Protection Regulation (GDPR). The UK government recently confirmed that the UK will implement the GDPR when it takes effect across the 28 EU Member States.
If data protection compliance wasn’t already at the forefront of peoples’ minds, it will be going forward. The GDPR will see the introduction of onerous new obligations on those processing personal data and potentially huge fines for non-compliance (of up to 4% of an organisation’s annual worldwide turnover or €20 million, whichever is higher).
What impact will Brexit have on the GDPR in the UK?
It is not yet clear whether all directly applicable EU law in force pre-Brexit, such as the GDPR, will remain in force immediately after the UK leaves the EU. Some transposition will be required and the outcome of the upcoming negotiations will be a major factor. The UK is likely to adopt laws which remain aligned with those in the EU, to maintain business as usual and to ensure the UK is considered to provide adequate protection for data transferred from the EU to the UK post-Brexit.
Questions raised include the continued role of the UK Information Commissioner’s Office (ICO). The ICO currently represents the UK’s interests within the EU data protection working party and will therefore continue to play a part in shaping the guidelines for the GDPR prior to May 2018. While the UK is still likely to track EU data protection standards post-Brexit, it will (most likely) be unable to influence legislative changes as it did as a member of the EU and the ICO is unlikely to constitute a “lead supervisory authority" for the purposes of EU data protection laws.
Pan-EU organisations whose main EU establishment is currently in the UK will need to consider the location of their secondary EU branch/establishment as this is likely to determine where their lead supervisory authority will be based. Remaining accountable to both authorities will be an ongoing balancing act for such organisations. For those organisations solely based in the UK, the basis on which their supervisory authority will be determined post-Brexit remains uncertain.
In March 2017, the House of Lords EU Home Affairs Sub-Committee is hosting meetings with the ICO, to explore issues such as how the UK will be able to influence global data protection standards from outside the EU and what support the ICO offers to organisations in preparation for the incoming GDPR.
What practical steps can you take now?
Despite ongoing uncertainty, there are several things you should remain focused on in the short to medium term. Given the breadth of changes introduced by the GDPR, UK organisations should start preparing for compliance well in advance of May 2018. The ICO has published some helpful guidance. Below is a handy checklist to help prepare for compliance:
- Resources and budget - Appoint an individual or team in your organisation to oversee the transition and ensure that an appropriate budget has been allocated to build out new processes and policies.
- Personal data assessment - Assess what personal data your organisation collects and holds, where it is stored, and how it is used. Consider instructing a third party to audit your IT and security systems.
- Third parties - Know who you are collecting personal data from and who you are transferring it to. You may need to renegotiate contracts with data processors (which could take some time) and obtain clearer consent from data subjects prior to May 2018.
- Data processing - Review and update any data subject consents, internal training, privacy notices, policies and data transfer mechanisms. Review existing procedures and create new ones to address restrictions on certain types of processing, such as automatic profiling, and support new data subject rights being introduced, such as data portability.
- Data breaches - Design and implement a data breach response plan to ensure you are able to meet the new 72-hour deadline to report sufficiently serious breaches to the relevant supervisory authority. Note that you will only have to notify the authority of a breach where it is likely to result in a risk to the rights and freedoms of individuals. Consider in advance which breaches of which personal data are likely to have this impact so that you are able to swiftly identify breaches that need to be reported.
- Accountability - Create an audit trail and ensure you are able to demonstrate compliance, i.e. implement privacy impact assessments, record keeping and clear governance structures. Consider whether your organisation is required to appoint a data protection officer.