Contractors, despite Brexit, with GDPR it’s business as usual, bar these new vital steps
Coronavirus measures. IR35 reform. Entrepreneurs’ Relief. It’s fair to say that there’s a fair bit of legislation coming down the pipe which contractors have understandably got their eye on.
But don’t overlook existing legislation we’ve already got. And more than that, do consider existing legislation we’ve already got which, in the eyes of some contractors and companies, is being made blurry by that seismic shift that’s going on in the background right now. I’m referring to Brexit -- and GDPR, writes Charlotte Gerish, founder of law firm Gerish Legal.
What is the current position and what does Brexit actually mean for GDPR?
At the moment, the UK is in the ‘transition period.’ In practical terms for the General Data Protection Regulation, nothing has changed (yet), and it seems that nothing will change until the end of 2020, when the transition period ends.
This means that, technically, we can continue to lawfully share data from the UK to EU countries; our data will be afforded the same protection, and we should continue to protect personal data in the same way (as pre-January 31st 2019).
It is worth noting that the UK has had solid data protection laws in place, even pre-GDPR and that it also implemented the Data Protection Act 2018 into UK law once the GDPR came into force. So EU or not, the UK is arguably a secure environment for personal data processing.
However, the end of the transition period (December 31st 2020) is approaching, and now is the right time to prepare. This means that, although nothing has changed yet – and won’t least until the end of the transition period, we are likely to see companies implementing new data processes and changing their information procedures. For some, even this current downtime triggered by the coronavirus pandemic, could provide a comparably quieter time to considerately look at starting to adapt our client data practices, as well as our own.
Will the UK be granted an ‘adequacy decision’ – and what does this mean?
The UK government recently announced that it does intend to seek an ‘adequacy decision’ from the EU before the end of the transition period under the GDPR. The Council of the European Union has also stated that it hopes to work with the UK towards an adequacy decision.
An adequacy decision effectively involves the EU declaring that a country not in the EU offers an adequate level of protection to personal data to the level of protection afforded by EU Member States.
In practical terms, it would mean that the procedures UK-based contractors have in place now could continue to be the same. We, as a nation, would still protect data in the same way that the GDPR requires, expect our own data to be protected in the same way, and we could share and receive data to and from the EU and with other countries that have adequacy decisions. It would be like we were still in the EU for GDPR purposes.
What can companies do if an adequacy decision is not granted?
While the UK has stated it intends to seek an adequacy decision, it has also stated that it intends to have its own independent data protection policies. The EU has also warned that an adequacy decision will not be automatic, and so it intends to assess the sufficiency of UK data privacy laws. If an adequacy decision is not granted, there are other options that can be put in place that will allow us to continue sharing data with the EU.
The (likely) most reliable option is a set of Standard Contractual Clauses (or SCCs). These clauses are already used by businesses not in the EU who wish to send data to (or receive data from) the EU. They are a set of terms to be included in a contract which requires data to be shared, and basically set out that the rules in the GDPR will be followed. In practice it would mean that you could continue to follow the same procedures if you have already been sharing data in a way that is GDPR-compliant. You just need to ensure the SCCs are included in the contract so that both parties understand their obligations, and of course ensure the GDPR-compliant rules set out in them are followed.
There are three sets of SCCs available to be used by companies online, two for EU controllers to non-EU controllers, available here and here, and one for EU controllers to non-EU processors, available here. If you are unsure of your data processing and transfer activities, or whether you or any parties you are receiving data from, or transferring data to, are ‘controllers’ or ‘processors,’ it is worth undertaking data mapping and seeking legal advice. The failure to determine your role and processing activities properly can have quite serious consequences if the result is that the proper legal documentation has not been put in place.
Another option worth mentioning is Binding Corporate Rules. These are a set of practices set out and developed by companies, individually, to ensure GDPR protection. However, they would not automatically authorise data transfers between the EU, rather they need to be submitted to the data protection authority in each state for authorisation -- a lengthy process which tends to be reserved to larger companies carrying out international transfers between various group companies.
What sectors are most at risk?
Interestingly, the sectors that are least likely to be affected by Brexit, as a whole, such as tech, communications, R&D and start-ups, actually have more exposure to the GDPR in the course of their business activities. Sectors with less exposure to the GDPR, such as the iron and steel industry, automotive and manual labour, are expected to be hit the hardest (by Brexit), financially. As such, the importance and applicability of data protection laws will still be a key element of the post-Brexit story. The GDPR has been developed with global applicability in mind, which is why we have other options such as SCCs. If your client or your own company has already been GDPR-compliant as a member of the EU, it should maintain the same processes, and just make sure to put these extra safeguards in place.
Which practical steps should I take immediately?
So is it ‘business as usual’ during the transition period? Legally it could be, but we would recommend taking proactive steps now. Ensure your GDPR procedures are compliant first of all, and map out your processing activities to choose the most suitable protective mechanism for your business.
Start considering inserting SCCs into your contracts in the event that we do not get an adequacy decision, and keep records of any considerations of data protection so that you can demonstrate you are striving for compliance. Stay up-to-date with data-related news and developments. And, as always, if you are unsure, get legal advice on your practices, data processing activities, privacy documentation and contracts. This is not an area to wade into without a full grasp of the legal and technical issues, especially given the potentially hefty costs able to arise from reputational damage, contract breaches, data loss and penalties.