Data Protection Law (Brexit UK)

The UK has today issued Guidance on how UK Brexit Data Protection Law will operate. This guidance is here. There is already a UK Technical Notice on the subject.

The EU (Withdrawal) Act 2018 (EUWA) retains the GDPR in UK law. The fundamental principles, obligations and rights that organisations and data subjects have become familiar with will stay the same.

To ensure the UK data protection framework continues to operate effectively when the UK is no longer an EU Member State the Government will make appropriate changes to the GDPR and the Data Protection Act 2018 using regulation-making powers under the EUWA.

The regulations and more detailed guidance will be published in the next few weeks.

These regulations would:

• Preserve EU GDPR standards in domestic law

• Transitionally recognise all EEA countries (including EU Member States) and Gibraltar as ‘adequate’ to allow data flows from the UK to Europe to continue

• Preserve the effect of existing EU adequacy decisions on a transitional basis

• Recognise EU Standard Contractual Clauses (SCCs) in UK law and give the ICO the power to issue new clauses

• Recognise Binding Corporate Rules (BCRs) authorised before Exit day

• Maintain the extraterritorial scope of the UK data protection framework

• Oblige non-UK controllers who are subject to the UK data protection framework to appoint representatives in the UK if they are processing UK data on a large scale

I will add this legislation to the Global OHS and ENV Brexit Law List, in subscription Cardinal Environment EHS Legislation Registers & Checklists.

The Government has also issued 6 Steps for Business to take – here.

Six steps

1 Continue to comply Continue to apply GDPR standards and follow current ICO guidance. If you have a Data Protection Officer, they can continue in the same role for both the UK and Europe.

2 Transfers to the UK Review your data flows and identify where you receive data into the UK from the European Economic Area (EEA). Think about what GDPR safeguards you can put in place to ensure that data can continue to flow once we are outside the EU.

3 Transfers from the UK Review your data flows and identify where you transfer data from the UK to any country outside the UK, as these will fall under new UK transfer and documentation provisions.

4 European operations If you operate across Europe, review your structure, processing operations and data flows to assess how the UK’s exit from the EU will affect the data protection regimes that apply to you.

5 Documentation Review your privacy information and your internal documentation to identify any details that will need updating when the UK leaves the EU.

6 Organisational awareness Make sure key people in your organisation are aware of these key issues. Include these steps in any planning for leaving the EU, and keep up to date with the latest information and guidance.

General Data Protection Regulation (EU)

The General Data Protection Regulation (2016/679) is here. Article 5 sets out the principles.

This GDPR applies from 25th May 2018 and overrides national law (although in some instances new national law may additionally be brought in).

[Brexit : the GDPR applies in the UK from 25th May 2018 – after Brexit, the GDPR will apply in the UK via the EU (Withdrawal) Bill – see separate Blog post – the EU (Withdrawal) Bill is not yet enacted]

[UK : separately (and not to be confused) a new UK Data Protection Bill is almost enacted – see Explanatory Notes here]

The general data protection regulation (GDPR) is part of the EU data protection reform package.

Features

• a single set of EU-wide rules — it repeals the pre-existing European Directive 95/46/EC;

• a data protection officer, responsible for data protection, must be designated by public authorities and by businesses which process data on a large scale;

• one-stop-shop — businesses will deal with one single supervisory authority (in the EU country in which they are mainly based);

• EU rules for non-EU companies — companies based outside the EU must apply the same rules when offering services or goods, or monitoring the behaviour of individuals, within the EU;

• privacy-friendly techniques must be used, such as pseudonymisation (when identifying fields within a data record are replaced by one or more artificial identifiers) and encryption (when data is coded in such a way that only authorised parties can read it);

• removal of notifications — the new data protection rules will scrap most notification obligations and the costs associated with these, one of the aims of the data protection regulation is to remove obstacles to free flow of personal data within the EU;

• impact assessments — businesses must carry out impact assessments when data processing may result in a high risk for the rights and freedoms of individuals;

• record-keeping — SMEs are not required to keep records of processing activities, unless the processing is regular or likely to result in a risk to the rights and freedoms of the person whose data is being processed.

—-

The UK Information Commissioner’s Office (ICO) has a useful updated guide in English here.

ICO guidance for small organisations is here.