[BreachExchange] BREXIT: What Does It Mean for Data Protection and What Should You Be Doing Now?

Thu Jul 7 18:45:34 EDT 2016

http://www.jdsupra.com/legalnews/brexit-what-does-it-mean-for-data-35880/

While we wait to see what the BREXIT result will mean for the UK’s data
protection regime, it is important to recognize that the result will not
change anything immediately. The exact nature of the post-BREXIT UK-EU
relationship will influence any UK data protection reform, and it is highly
likely that the UK will continue to be heavily influenced by EU laws.
Indeed, the UK’s data protection authority (the ICO) has emphasized that
“international consistency around data protection laws and rights is
crucial both to businesses and organisations and to consumers and citizens.”

So what should you be doing now?

Prepare for the GDPR and changes to UK data protection laws

Data controllers established in the UK processing personal data in the
context of that establishment are currently subject to the UK’s Data
Protection Act (DPA). Once the EU’s General Data Protection Regulation
(GDPR) comes into effect on May 25, 2018, the UK will still be a member of
the EU and so the GDPR will automatically replace the DPA. UK companies
will then need to comply with the new regime until BREXIT occurs. Following
that, the GDPR will fall away but we do not yet know what form any
replacement legislation will take.  If the UK wants to continue trading
with other EU Member States, it will likely need to adopt legislation
similar to the GDPR (see further below). With this in mind, businesses
should continue with their GDPR compliance preparations.

In addition, the GDPR will not only apply to businesses established in the
EU, but it will also apply to businesses outside the EU that processes
personal data of EU citizens, either by offering services or goods or from
monitoring behavior. Therefore, following BREXIT, the GDPR will still apply
to UK based businesses trading with the EU or targeting EU citizens. Such
businesses therefore should continue their GDPR compliance efforts.

Consider where personal data is processed and transferred

EU data protection laws prohibit transfers of personal data to countries
outside the European Economic Area (EEA), unless they have been recognized
as providing “adequate protection” to personal data. Companies need to
consider whether they receive data in the UK from global regions which are
currently compliant based on the UK being within the EU or EEA.  If the UK
is not classified as “adequate” post BREXIT, UK companies receiving data
from the EEA will need to re-think their data protection compliance
strategy and put in place adequate safeguards, such as Model Clauses and
Binding Corporate Rules.

In addition, the converse (transfers outside the UK) may also be an issue
and so companies should consider whether they send personal data from the
UK and what compliance measures they may need to put in place. The new
EU/U.S. Privacy Shield is due to be adopted early next week. Following
BREXIT, the Privacy Shield will not cover transfers from the UK to the U.S.
However, the ICO could approve the Privacy Shield as an adequate means of
data transfer from the UK to the U.S., or it could establish a similar
framework (e.g. like the U.S.-Swiss Safe Harbor framework).

Determine where the organization’s main EU establishment will be

Some GDPR provisions are dependent on the “main establishment” of a
business being in the EU. Once the UK leaves the EU, a company with UK
based headquarters will no longer count as the main establishment under the
GDPR following BREXIT. This will affect a company’s lead data protection
supervisory authority under GDPR for the purpose of enforcement and other
reasons such as approval of Binding Corporate Rules.

It is hard to predict at the moment precisely the timing and scope of legal
changes to the UK’s data protection regime resulting from BREXIT. We will
continue to monitor developments closely and keep you fully informed and
the post-BREXIT process unfolds.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160707/633ff001/attachment.html>