The reality of Brexit is looming ever larger as we draw closer to the 29th of March. The day Britain leaves the EU. Definitely. Maybe. Certainly. Probably. Perhaps.
With all the political wrangling, the potential delays, or threats of daily referenda, you can be forgiven for not having any idea what’s going to happen (the Government certainly don’t). But whether we leave the EU with a deal, without a deal, or don’t leave at all, the effect on your organisation will be/ could be enormous.
So, this brings me to the point of today’s blog. There is a very real chance that Britain could leave the EU with no deal in place at all and I want to discuss what this means with regards to the GDPR, what changes you might have to make to prepare, and what we at iHASCO have already done to make sure everything goes as smoothly as possible.
Why does a no-deal matter?
Let’s start with the basics – I apologise if you already know this but I want to make sure we’re all on the same page. The GDPR is an EU Regulation, this means that it is created and enforced by the European Council and applies to ALL members of the EU. It doesn’t require individual countries to make new laws or to vote on it in their own parliaments/governments, it simply comes from the EU and automatically applies to everyone.
This means that after Brexit, with no EU to enforce the law on us, it no longer applies. But, rather than face restrictions on transfers of data to and from the EU (which could be catastrophic to many organisations), the UK government created the Data Protection Act 2018 (DPA) which, essentially, copies the GDPR, in its entirety, into UK law.
However, despite being almost identical, the DPA is not the GDPR. So, if we leave the EU without some kind of deal in place (which would almost certainly include a deal regarding the transfer of data) then the DPA would not automatically be considered “adequate” by the EU. And this all comes down to the EU’s stance on restricted transfers.
What is a restricted transfer?
Under the GDPR, transferring data outside of your country to another is a perfectly fine thing to do, as long as you’re transferring the data to another EU or EEA country (given that sufficient safeguards are in place to protect people’s data). That’s the beauty of the GDPR, it makes transfers to any other country under its protection, safe, simple, and smooth.
However, if you want to transfer data OUT of the GDPR’s jurisdiction (a restricted transfer), that’s where things can get a little tricky. There are 3 conditions to making a restricted transfer, you need to fulfil at least one to be able to legally make the transfer.
The first condition is whether the country you’re transferring to is covered by an Adequacy Decision. This is a decision by the European Council as to whether a particular country’s existing data legislation offers sufficient protection. This list is continually changing as new countries are added and others are taken off. You can see which countries are currently covered here.
If your intended country isn’t covered by an Adequacy Decision, the next condition is to ensure that certain safeguards are in place which protects people’s data to the standards set by the GDPR. The regulation itself provides a full list of appropriate safeguards (Article 46(2)) which you can view here.
Finally, if there’s neither an Adequacy Decision in place nor sufficient safeguards, then the transfer can only go ahead if it’s covered by one of a list of exceptions (Article 49), which you can view here.
What does this mean for the UK?
The UK Government has already confirmed that, post-Brexit, transfers of data from the UK to the EU will be acceptable. So, if that’s the only transfer you need to make, you’re covered.
However, unless we have a deal in place, transfers of data from the EU to the UK will be subject to the three conditions of a restricted transfer. The companies who send you data will need to make sure that their transfers are covered by one of the conditions mentioned earlier.
Even though it would be in the interests of the EU to make transfers to the UK as smooth as possible, by making an Adequacy Decision, this can take a long time so it’s unlikely one would be in place by the time we leave the EU.
So, if you receive data from the EU, you need to be prepared for a no-deal Brexit by 29th March. This means either making sure you have adequate safeguards in place, are covered by one of the exemptions, or that you change where you import data from – to within the UK, for example.
Additionally, any agreements between third countries and the EU will no longer apply to the UK once we leave. For example, in the USA, companies can sign up to the Privacy Shield Framework which allows them to transfer data to and from the EU. Currently, the UK is included in this (being in the EU and all) but if we leave without securing a deal, the Privacy Shield will no longer cover us.
What has iHASCO done to prepare?
To help us deliver our training, iHASCO relies on the services of certain third parties. They serve as data storage centres, they provide email services for our clients, or they generate course completion certificates, among other things.
Most of the third parties we use are located in the UK and so are subject to (currently both the GDPR and) the DPA. We have Data Processing Agreements in place, ensuring that they handle data in accordance with the standards set by data legislation.
However, some of our third parties are located outside of the UK - in both Ireland and the USA. We already have Data Processing Agreements in place with these organisations but, with the event of a no-deal Brexit looming, we are currently working very closely with them to create standard contractual clauses which allow for international transfers of data (this is one of the appropriate safeguards mentioned earlier in the blog).
This means that whether Britain leaves the EU with a deal, without a deal, or doesn’t leave at all, our clients’ data will not be affected. You’ll have full access to it; to amend, delete, transfer, or restrict its use, and can continue to enjoy the same level of service from iHASCO, regardless of the chaos ensuing elsewhere in the country.