Tag Archives: Brexit

Google’s British service users’ data to get US oversight

Amid perceived (or professed) uncertainty around the UK’s future GDPR adequacy status, Google executives have opted to transfer oversight of their UK data subjects from their EU subsidiary Google Ireland Limited to their American HQ Google LLC.

Cited by outlets such as Reuters and The Guardian, Lea Kissner, Google’s former lead for global privacy technology, has stated,

“There’s a bunch of noise about the UK government possibly trading away enough data protection to lose adequacy under GDPR, at which point having them in Google Ireland’s scope sounds super-messy. […] Never discount the desire of tech companies not be caught in between two different governments.”

It’s important to remember that the UK doesn’t yet retain GDPR adequacy status, which is subject to current Brexit negotiations. Officially, the Government is seeking adequacy status, and data protection regulations are not expected to constitute an obstacle to any UK-EU departure deal.

Harry Smithson, 28th February 2020

There Now Follows A Brief Interlude…

This blog, charting the progress of the UK towards Brexit and its impacts from a data protection perspective, has been running for a few months now. It seems that every week there has been a new twist or sudden change in direction.

This week, again contrary to many commentators’ predictions, came the news that we have a General Election in six weeks’ time, on 12th December. It is highly unusual to hold an Election so late in the year, a fact that adds to the overall sense of uncertainty over the final outcome.   Voters are likely to cast their vote in line with their Remain or Leave preference as much as their traditional party allegiance.  It may well throw up some surprises.

What is certain however that during the six weeks of the election campaign Brexit and the Withdrawal Agreement Bill will not progress. There now follows, as broadcasters used to say, a brief interlude.  In the meantime, we will continue to monitor and report on data protection developments both in the UK and internationally on our blogs.

Follow the money

And if readers are concerned about the fate of the millions of commemorative 50 pence pieces minted to celebrate the UK’s departure from the EU on 31st October, I understand they have been melted down. They will be re-minted (if that’s the word) when a new Brexit date has been secured.

Please contact us if you have any queries or concerns about how Brexit will affect your business.  Call 01787 277742 or email teambrexit@datacompliant.co.uk

Gareth Evans, 1st November 2019

The Countdown Clock Stalls

Shortly after he was installed in post, the new Chancellor, Sajid Javid, announced that three million new 50 pence coins celebrating Brexit would be issued on 31st October to mark the UK’s exit from the EU.  Millions more were set to be minted in the following months. The move was supposed to underline the Government’s determination to conclude Brexit by their Halloween deadline. Events of the last week mean that the Chancellor may have to shelve plans to issue millions of shiny new 50 pence coins.  How did we get to this situation?

The Prime Minister bought back his version of the Withdrawal Agreement hotfoot from Brussels cutting short his time at the European Summit of EU heads of state.   As widely predicted a Saturday sitting of Parliament was called to vote on the deal. Despite the Government’s best intentions, the Withdrawal Agreement Bill failed to reach its 2nd Reading (the first hurdle for any Bill) derailed by Sir Oliver Letwin’s amendment.

A new week saw another attempt to progress the Withdrawal Agreement Bill (now referred to as “WAB”).  On Tuesday the Bill returned to Parliament and, remarkably, for the first time in four attempts it won a majority in Parliament. But that wasn’t the end of the story. In order to progress the Bill needs to secure time for Parliamentary scrutiny.   The Government had proposed two days of Parliamentary time. This proposal drew considerable opposition – and not just from official Opposition MPs.  As a result, this Programme Bill containing the timetable was rejected. The vote brought the progress of the WAB to a juddering halt.  Suddenly the Government was forced to seek an extension from the EU to the passage of the WAB, possibly for as long as three months. The 31st October deadline for Brexit now looks very unlikely.  Treasury officials so far remain tight-lipped on the fate of the three million commemorative 50 pence coins.

We are now in a period of political stand-off. The Prime Minister has offered considerably more Parliamentary time to scrutinise and debate the 130-odd pages of the WAB provided they agree to a General Election on 12th December. Meanwhile the EU has yet to decide on the length of the extension they are prepared to grant the UK to agree the terms of withdrawal. Opposition parties in the UK will not agree to a General Election until they know the terms the EU are prepared to offer. The stand-off will surely resolve itself but, at the time of writing, it is hard to predict the precise terms of this resolution.   

Data Protection and the WAB

The Withdrawal Agreement Bill and accompanying Explanatory Notes are very light on data protection provisions. Each contains a single paragraph on data protection making clear that none of the current arrangements will change. This is good news for businesses planning for the future.

A good deal of the WAB is concerned with the trading status of Northern Ireland and its relationship with the remaining 27 EU Member States.

As it stands the WAB makes Northern Ireland a member of the EU Customs Union while remaining in the United Kingdom.  This is a significant advantage for Northern Irish businesses that seek to move goods or services cross border with EU Member States.  The legislation is still in draft form and remains subject to amendment but if UK business wish to avoid difficulties in receiving data from other EU members they could derive significant advantage from locating their data processing capabilities in Ulster rather than on mainland UK.  Just a thought…

Please contact us if you have any queries or concerns about how Brexit will affect your business.  Call 01787 277742 or email teambrexit@datacompliant.co.uk

Gareth Evans, 25th October, 2019

Brexit. 14 Days to Go – A Declaration of Intent

Well who saw that coming? Suddenly at about 10.30 on Thursday morning came the announcement that the UK Government and the EU have agreed a Brexit deal. It came as something of a surprise as public pronouncements from both sides of the negotiations had been suggesting a deal was increasingly unlikely. Maybe this was expectation management in action because out of the blue on Thursday morning was a revised Withdrawal Agreement.  Importantly the Agreement was accompanied by a new version of the Political Declaration which outlines the direction of future UK/EU negotiations (more of this below).

Shortly after the announcement of a deal came the news that the Westminster Parliament had voted to sit on Saturday in order to ratify the Withdrawal Agreement that has been hammered out. With the Democratic Ulster Unionists and others refusing to support the agreement it is far from clear that the Agreement will win Parliamentary backing.

The Importance of Data Flows

The Political Declaration that sits alongside the draft Withdrawal Agreement is a statement of intent and is not legally binding on either the UK or the EU.  Nevertheless, it is worthwhile pointing out that right up front in the Political Agreement is a section on Data Protection. The prominence of this section – second in the list of “Initial Provisions” – suggests a genuine wish to secure a basis for the transference of data between the UK and EU once the UK has exited.  The opening paragraph of the section reads as follows: 

In view of the importance of data flows and exchanges across the future relationship, the Parties [the UK and EU] are committed to ensuring a high level of personal data protection to facilitate such flows between them.

It continues

The Union’s data protection rules provide for a framework allowing the European Commission to recognise a third country’s data protection standards as providing an adequate level of protection, thereby facilitating transfers of personal data to that third country. On the basis of this framework, the European Commission will start the assessments with respect to the United Kingdom as soon as possible after the United Kingdom’s withdrawal, endeavouring to adopt decisions by the end of 2020…

Positive Data Protection News for Businesses

For businesses transferring data to or from EU Member States this is encouraging. It has always been clear that should the UK leave the EU it would become a “Third Country” for data protection purposes. Transfers of data to EU member states would have to meet an EU assessment of equivalent levels of data protection.  We have seen several of counties struggle to achieve equivalence standards.

While the UK has written the provisions of GDPR into UK law it would appear, on the face of it, to be a formality to pass the European Commission’s assessment. Here, with the publication of the Political Declaration the EU’s intention to make the equivalence hurdle as easy as possible to negotiate has been signalled. 

It is currently unclear if the Withdrawal Agreement will pass through Parliament but the crucial importance of efficient and secure data flows between the UK and Europe has been underlined by this week’s Political Declaration.

Please contact us if you have any queries or concerns about how Brexit will affect your business, or if you need help with your data protection.  Call 01787 277742 or email teambrexit@datacompliant.co.uk

Gareth Evans, 18th October, 2019

Brexit pathway

Brexit at 20 Days. A pathway emerges

This was the week in which Brexit positions hardened.  Last Monday it became clear that EU leaders were not won over by the UK Government’s Protocol.  The Protocol was launched amid high expectations on 2nd October.  It was designed to break the deadlock and introduce a new approach to the problem of customs checks between the UK and the Republic of Ireland.

Clearly, the lukewarm response of the other EU leaders to the Protocol makes the prospect of a “No Deal” Brexit more likely.  The unattributed response from Number 10 was unequivocal.  The spokesman was quoted as saying:

“(the Government) will not negotiate further (with the EU) so any delay would be totally pointless.  They think now that if there is another delay we will keep coming back with new proposals. This won’t happen. We’ll either leave with no deal on 31 October or there will be an election and then we will leave with no deal.”

A Pathway Emerges

Nevertheless, detailed discussions between Boris Johnson and his Irish counterpart, Leo Varadkar, have taken place. The tone of the joint statement from both Heads of State sounded very different from the anonymous Number 10 spokesman.  The statement said that the two had “agreed that they could see a pathway to a possible deal”.  Discussions on the “pathway” are set to continue in Brussels.  But now, with only barely 20 days to go we are running out of road. 

What lies beyond the Summit?

The subject of Brexit looms large on the agenda for the meeting of the European Council – often referred to as the Summit.  It will take place on 17th and 18th of this month, and will be attended by all the EU Heads of State (including Boris Johnson).It is difficult to predict the direction that the Summit will take. 

The next day, on 19th October, is the critical date for the Benn Act (or Surrender Bill as the Prime Minister prefers to call it).  If by 19th October a Withdrawal Agreement has not been passed by Parliament, the Benn Act requires the Government to request an extension to the Brexit negotiations.  The Act suggests an extension until 31st January 2020, but this would be at the discretion of the EU. 

Significantly the Government has called a special sitting of Parliament on 19th October – the first sitting on a Saturday since the outbreak of the Falklands War.  It is unclear whether the purpose of the “Super Saturday” special sitting is to vote on a Withdrawal Agreement or to map out the Government’s strategy for a no-deal exit. 

Businesses with Clients in the EEA

It is perhaps notable that in recent days the Cabinet Office has been ramping up its communications programme on the consequences of no deal. A number of these are aimed at specific business sectors including data processors and data controllers with clients in EEA countries.

Although the Cabinet Office advice was originally published in February this year it is worthwhile taking another look in the light of the shifting political situation.

Government Advice

The Government’s advice is very clear. In summary organisations that receive personal data from the EU/EEA should

  • review your organisation’s contracts for data transfer
  • Consider including Standard Contractual Clauses (SCC) or Alternative Transfer Mechanisms (ATM) to ensure continuation of legal receipt of personal data from the EU/EEA.
  • Businesses that are part of a multinational group may be able to rely on binding corporate rules (BCRs), for intra-group transfers as an appropriate safeguard

The full Cabinet Office advice can be found here 

 www.gov.uk/guidance/using-personal-data-after-brexit#what-we-mean-by-receiving-personal-data

Data Protection Representatives

If you are processing EEA personal data, you will have to consider whether or not you need to appoint a European ‘representative’ in an EEA Member State.  For example, you will need to appoint a representative if you:

  • have a regular client base in one or more countries the EEA
  • and don’t have an establishment in the EEA
  • and you are transferring personal data from the EEA to the UK for processing

A European representative will act as a contact for individuals and the EU and EEA supervisory authorities in the specific countries in which you operate.  

It is worth noting that current advice from the UK supervisory authority the ICO says that:

‘You do not need to appoint a representative if either:

  • you are a public authority; or
  • your processing is only occasional, of low risk to the data protection rights of individuals and does not involve the large-scale use of special category or criminal offence data.

This is not a straightforward issue.  It is advisable to seek advice from your data protection officer or legal advisor when conducting as assessment of whether or not you need to appoint a data protection representative in the EU or EEA Member States.

Please contact us if you have any queries or concerns about how Brexit will affect your business, or if you need help with your data protection.  Call 01787 277742 or email teambrexit@datacompliant.co.uk

Gareth Evans, 11th October, 2019

Brexit Landing

Brexit “landing zone” in sight? Less than 30 days to find out …

So now we have it. On Wednesday the Prime Minister wrote to Jean-Claude Junker, President of the European Commission, with the Government’s proposals for a new “Protocol on Northern Ireland/Ireland”. This is an attempt to break the logjam of the Northern Ireland backstop which has held up progress on a Brexit deal for so long in the UK Parliament.   

Perhaps PM Johnson’s key line in his covering letter to Juncker is that the Proposal offers “a broad landing zone”. This suggests that the paper is a step in the direction of further talks and not necessarily the take-it-or-leave-it offer which had been briefed in advance. This clearly indicates the intention to secure a Brexit deal remains. But there is very little time left with only 27 days remaining on the Brexit countdown clock. 

The fact that Parliament is sitting following last week’s Supreme Court ruling gives the Government an opportunity to test the waters with MPs, particularly those that objected fundamentally to the backstop arrangements.   This is important as the EU are only likely to re-enter into negotiations if they feel the resultant deal has a chance of passing with a majority in the Westminster Parliament.

Data Transfer has moment in the limelight

Meanwhile Secretary of State for Exiting the EU, Steve Barclay, has been on manoeuvres stressing the importance of a deal, but also the importance of flexibility in negotiations.  A speech in Madrid on 19th September 2019 contained a rare reference to data protection and the status of data sharing if there is a no deal Brexit. Barclay said:

“even though the UK has adopted in full the EU aquis [the body of EU law] on data, the Commission position is businesses here in Spain will be restricted in what data they can share with the UK

That affects not just the tourism industry, not just the 45 million flights from the UK to Spain each year, that affects businesses much more widely, and I wonder within this audience how confident it is that small and medium sized businesses across Spain are fully prepared for that sort of change.”

Clearly there is still a lot to play for in the Brexit negotiations. As the Secretary of State points out it is vital that the outcome is mutually beneficial for all parties.   To quote the text of his Madrid speech

“A rigid approach now – at this point – is no way to progress a deal – the responsibility sits with both sides to find a solution. We [the UK Government] are committed to carving out a landing zone.”

Data Compliance – Impact on UK Businesses

The UK government’s approach to transfers, is to recognize existing EEA countries as offering adequate data protection from the point at which the UK leaves the EU. Any formal discussion of the UK’s adequacy, in contrast, will not take place until after the UK has left the EU.

To ensure that data continues to flow businesses must act to:

  • review data flows from the EU,
  • ensure that all data transfers from the EU are covered by the appropriate transfer mechanism such as the standard contract clauses;
  • ensure internal documentation states that transfers will be made to the UK; and
  • update privacy notices to inform individuals that transfers will be made to the UK;
  • Consider whether not you need to appoint a Data Protection Representative in the EU.

Please feel free to contact us if you have any queries or concerns about how Brexit will affect your business, by calling 01787 277742 or email teambrexit@datacompliant.co.uk

Gareth Evans, 4th October 2019

 

 

Brexit. 35 days to go … and stormy times at Westminster

Well nobody saw that coming! On Tuesday, as storm clouds descended on Westminster, the Supreme Court delivered its own thunderbolt.  In a unanimous decision, all 11 Supreme Court Justices ruled that, in the circumstances, it was unlawful for the Government to advise the Queen to prorogue Parliament. The suspension of Parliament was void and the session should resume as soon as possible. In effect the Court overruled the legal basis for the prorogation.

Parliament duly resumed on Wednesday morning with renewed antagonism (even toxicity) on all sides of the political and Brexit divide.    

In the opening exchanges Government made it clear that it accepted the ruling of the Court. Nevertheless, Ministers, including the Attorney General, Geoffrey Cox, made it clear that they profoundly disagreed with the ruling.   The Attorney General stated he is “considering” releasing his original advice to Government on prorogation. It will be interesting to see the legal basis for his advice.

Still the Brexit clock is ticking…

Parliament will now resume work on the legislative programme of Bills that had been put aside when prorogation was announced. Meanwhile all the work on a revised Withdrawal Agreement with the EU is taking place elsewhere as the shuttle-diplomacy between London and other EU capitals continues.

New deadline?

One piece of legislation that did pass in the brief period between the end of summer recess and the “prorogation that never was” has introduced a new deadline.  The European Union (Withdrawal) (No.2) Act focuses attention on 19th October, a full two weeks before the Hallowe’en witching hour.   

This Act – more commonly referred to as the “Benn Act” and more recently, by the Prime Minister himself, as the “Surrender Bill” – requires Parliament to pass a new Brexit Withdrawal Agreement by the 19th October deadline.  If a Withdrawal Agreement has not been passed with a Parliamentary majority by 19th the law demands that the Government writes to the EU Commission to request a further extension to EU membership.  A draft of letter is included within the Act.

Clearly the provisions of the Act fly in the face of the PM’s commitment to leave the EU, with or without a deal, by 31st October or “die in a ditch”.  When asked directly if he would comply with the Act if he cannot secure a Withdrawal Agreement by 19th October, he answered with a single word. A categoric “No”.

If it turns out that the Prime Minister refuses to obey the provisions of the new Act, the legal basis for his decision will surely be challenged.  But that is a legal challenge that is yet to come…

Deal or No Deal the Data Protection Act & GDPR will apply

Last week we talked about the legal basis for processing personal data. Businesses are concerned about the free flow of personal data.  This will still be possible so long as there is a valid legal basis for processing such as ‘for the performance of a contract’. Contracts, data processing, and data sharing agreements must be up to date including, where applicable, the so-called standard contract clauses.  These are also known as the EU Model Clauses.

Legitimate Interests Processing

Another legal basis is Legitimate Interests which can be the most flexible legal grounds for companies to use.  However, it cannot be assumed that it will always be the most appropriate. In business it’s sometimes used instead of Consent for example certain forms of direct marketing, web analytics or routine internal activities such as HR.

As with all aspects of data protection compliance the rights of the individual and the security of the data are paramount and should be built into any processing operation.  This is known as Privacy by Design and Default.

Legitimate Interests Assessment (LIA)

As part of ‘Privacy by Design and Default’, it is essential to assess the impact of any processing on the individuals concerned.  So the scope, purpose and security of the processing must be considered before using Legitimate Interests as a legal basis for processing personal data. This can be achieved by conducting a legitimate interests assessment, which consists of:

  1. Establishing a use case which identifies the legitimate interest
  2. Conducting a necessity test – is the processing really needed/is there an alternative
  3. Conducting a balancing test – this will help to identify the impact of your processing and whether this overrides the interest you have identified
  4. Safeguards – having adequate technical and organisational safeguards in place to protect the confidentiality and integrity of the data

It is advisable to use a LIA Framework or template for this purpose and seek the advice of a data protection officer or advisor who has the expertise to guide you through this process.

Please feel free to contact us if you have any queries or concerns about how Brexit will affect your business, by calling 01787 277742 or email teambrexit@datacompliant.co.uk

Gareth Evans, 27th September 2019

42 days and counting….

With the countdown to Brexit clock still ticking it seems that all has gone (relatively) quiet on the Brexit front. Parliament is not sitting and won’t be back until 14th October but this has not stopped politicians and commentators on all sides of the debate from re-iterating their deeply-held positions.   

Behind the scenes, it is reported, there is a great deal of shuttle-diplomacy taking place. Both the Prime Minister and his chief negotiator, David Frost, have become frequent passengers on the Eurostar as they dash between London, Brussels and the other capitals of Europe.  Yet the details of the discussions are still far from clear.

The “non-paper”

On Thursday it emerged that apparently the Government has issued a ”non-paper” to the EU outlining some thoughts on how an acceptable Brexit deal can be achieved.  “Non paper” is a particularly bizarre EU concept for written proposals that have no formal status. At the risk of sounding like something from Alice through the Looking Glass, it is a paper that is not a ”paper”. 

The details contained in the non-paper are unlikely to be officially released. But, if past experience is anything to go by, non-papers tend to see the light of day through unofficial and unattributable leaks.

The Law’s Delay

With little information to go on it is perhaps unsurprising that attention has turned to the other burning issue in UK politics – the judgement of the Supreme Court on the legality of the decision to prorogue Parliament.   Whilst this is not a Brexit issue in itself, the plaintiffs in the two cases before the Court clearly suspect that Parliament was suspended in order to prevent scrutiny of the Brexit negotiations. 

At the time of writing the judges are still out and the judgement is yet to be issued. Whatever the decision it is clearly going to have an impact on the course of the Brexit countdown. 

With attention focussed on legal matters it is perhaps worthwhile spending a little time looking at an often misunderstood aspect of data protection law, specifically the legal basis for processing data. 

On what legal basis can companies process personal data?

The collection and processing of personal data must be first and foremost be lawful under the GDPR and Data Protection Act 2018.  There are six legal grounds for processing and one of them MUST apply.  They are summarised below in no particular order:

  • Consent – a person must have given their consent for one or more specific purpose(s) (e.g. for consumer electronic marketing purposes)
  • Contract – the processing is necessary for the performance of a contract to which a data subject is a party or has requested before entering into a contract (e.g. for employee, client or third-party contracts)
  • Legal obligation – for compliance with a legal obligation such as HMRC
  • Vital interests – processing is necessary to protect a data subject or another person (e.g. medical records in the case of an accident)
  • Legitimate interests – where data processing is necessary for the purposes of the legitimate interests of the data controller, except where such interests are overridden by the interests or fundamental rights or freedoms of the individual (a Legitimate Interests Assessment must take place e.g. for some direct marketing purposes)
  • Public interest – for a task carried out in the public interest or in the exercise of official authority vested in the controller

Please feel free to contact us if you have any queries or concerns about how Brexit will affect your business, by calling 01787 277742 or email teambrexit@datacompliant.co.uk

Gareth Evans, 20th September 2019

Operation Yellowhammer

Ornithology

What has Brexit to do with a small member of the bunting family? A bird that is migratory, apparently recognising no national boundaries. One that is found throughout Europe and thrives in its adopted homes in Australia and New Zealand.  So widespread is the Yellowhammer (Emberiza citronella) that it has been adopted as the state symbol of Alabama.

Clearly someone in Whitehall running the No Deal contingency planning is a keen birder. Or has a sense of humour.

Political Wrangling

In extraordinary scenes this week Parliament was prorogued until 15th October.  It is a move that is not without controversy and we shall see the judgement of the UK Supreme Court next week. 

One of the final acts of outgoing Parliament was to pass legislation compelling Government to publish the dossier on the potential consequences of a “No Deal” Brexit, a document bearing the codename “Operation Yellowhammer”.    

Extracts from the Yellowhammer report had been leaked and published in the Sunday Times a few weeks ago.  Following the publication of the extracts arguments raged about the age of the Yellowhammer document and whether or not it represented a “Worst Case” or “Base Case” planning scenario.

Wednesday evening saw the publication of a remarkably matter-of-fact 5-page Operation Yellowhammer document with the status “Official Sensitive”. The report is dated 2nd August and it apparently represents the Government’s “Reasonable Worst Case Planning Assumptions”. 

Implications for UK Companies receiving Personal Data from EU

Under the general heading “Key Planning Assumptions” are sections on the widely discussed impacts on HGVs entering the UK particularly at the Channel ports and disruption to the supply of fresh food and medicines.

Listed at Number 9 (of 20 assumptions) is the following:

“The EU will not have made a data decision with regard to the UK before exit.  This will disrupt the flow of personal data from the EU where an alternative legal basis for transfer is not in place. In no deal an adequacy assessment could take years.”

This is an important consideration for companies in their No Deal contingency planning. Under the No Deal outcome, the UK becomes a Third Country and would no longer be covered by EU ‘free flow of data’ rules. 

As the Yellowhammer report states the UK would need to apply for an adequacy decision to ease the flow of personal data from EU member states.  Typically, an adequacy assessment from the EU can take 2 years – sometimes longer.

To date the EU Commission has adopted 13 adequacy decisions with: Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, and the United States (for companies using the EU-US Privacy Shield or Swiss-US Privacy Shield). Most recently the EU agreed a reciprocal adequacy decision with Japan. South Korea started the process of applying for an adequacy decision from the Commission in 2015. The decision is still awaited. 

What to do?

The previous blog (“55 Days to Go”) covers the steps that UK companies need to take when handling data from EU member states.

Privacy Notices

Companies must also review and update Privacy Notices to include amongst other items:

  • The legal basis for processing personal data
  • Collection and use of personal data for direct marketing, analytics, research purposes – where applicable
  • Collection of HR personal data
  • Transfers of personal data outside the EEA and the transfer mechanisms in place to govern those transfers

What Next?

An update on the August version of the Yellowhammer report which will include the current contingency plans in the case of a No Deal Brexit has been promised. It will be interesting to see if any progress has been made on the status off data flows in recent weeks.

Meanwhile the Government continues to insist its preferred outcome from the Brexit negotiations is a deal with the EU.  If a deal is secured it may be that the current flows of personal data to and from the EU are not materially affected.

Watch this space.

Please feel free to contact us if you have any queries or concerns about how Brexit will affect your business, by calling 01787 277742 or email teambrexit@datacompliant.co.uk

Gareth Evans, 12th September 2019

Brexit: 55 Days to Go, or is it?

It has been a momentous week for UK politics. With Parliament back from the summer recess MPs moved to seize the Order Paper from Government. There then followed an audacious move to legislate against a “No Deal” Brexit, a move which would hamstring the Government’s Brexit negotiation strategy. The Government’s strenuous attempts to prevent the passage of legislation to take the “No Deal” option out of the equation led to the withdrawal of the whip (in effect the suspension) of 21 Conservative MPs.  The legislation that would prevent a No Deal outcome will return to Parliament early next week.  It remains to be seen whether the legislation achieves Royal Assent and is written into law.

In the meantime, the plan to prorogue Parliament for five weeks ahead of the Brexit deadline moved on apace despite a number of legal challenges.

Elsewhere 

This week also saw the Prime Minister’s own brother, Jo Johnson, resign as Universities Minister registering his objection to the direction of the Brexit negotiations which he viewed as no longer in the national interest. 

On a happier note Downing Street announced the arrival of a new resident as the Prime Minister and his partner unveiled Dilyn their new puppy.

The Prime Minister is keen to reinforce his Government’s resolve to achieve Brexit, with or without a deal by the 31st October deadline. But despite his vigorous defence of this policy it remains unclear whether this will be achieved.

Implications for businesses

Amongst all this political turmoil it is difficult for businesses to plan ahead especially if the business model includes data transfers to or from EEA companies.

In the case of a No Deal Brexit on the date of departure the UK becomes a ‘Third Country’ in terms of EU data transference rules.  This means companies that the UK will not have adequacy status, so needs to take particular steps when processing EEA* data, for example, the data of your customers or prospects or clients.

What you need to do

The UK will recognise all EEA countries as adequate under UK law.  So there are no issues with you continuing to send personal data to the EEA. 

The reverse, however, is not the case so there will be major changes when transferring personal data from the EEA to the UK.  You need to prepare:

  1. Know your data” specifically that data you process about EU individuals.  Make sure your data mapping is up to date and identifies those individuals outside the UK, but within the EEA.
  2. Take appropriate GDPR safeguards for processing and transfers of EEA data, and update your privacy policy accordingly
  3. Use Standard Contractual Clauses to enable transfers of personal data from the EEA to the UK and vice versa.
  4.  If you are using Binding Corporate Rules, these will need to be adjusted slightly post-Brexit.

*EEA = The 27 European Member States, plus Iceland, Liechtenstein and Norway.

Please feel free to contact us if you have any queries or concerns about how Brexit will affect your business, by calling 01787 277742 or email teambrexit@datacompliant.co.uk