How contractors can Brexit-proof their data protection practices
After much political drama surrounding Brexit, not even the busiest of contractors can have missed that the EU and UK have agreed to delay the UK’s exit from the EU until October 31st 2019, from the initially intended March 29th 2019.
But under the terms of this recent agreement, it is still possible that the UK could leave the EU earlier if a withdrawal agreement is accepted by the United Kingdom’s MPs. As the UK therefore prepares to participate in European elections on May 23rd -- to avoid leaving the EU on June 1st 2019 without a deal, there are still many things to sort out. And data protection and GDPR-compliance is definitely one of them!
Like Brexit (and because of it), GDPR is still in the air
Essentially, the GDPR (its full name being the General Data Protection Regulation) is a piece of EU legislation dealing with how personal data needs to be processed, which came into force in all Member States of the EU, including the UK on May 25th 2018.
The UK updated its personal data processing law in line with the GDPR through the Data Protection Act 2018. While there are a few things that the EU authorities and the UK government might be able to do to ensure the UK’s future as regards GDPR (such as issue an adequacy decision regarding the UK’s personal data framework), this is subject to much negotiation and more importantly whether the UK leaves with a deal and/or a transitionary period.
This doesn’t necessarily provide much comfort to businesses that want to organise things now. So here exclusively for ContractorUK, let me provide you, your consultancy or the end-client you supply with a few ‘quick-wins,’ writes Charlotte Gerrish, founding partner of Gerrish Legal.
Oh, and these quick-wins aren’t just ‘nice-to-haves,’ given that several data protection authorities have warned that they will not give businesses in the EU, UK and US extra time to comply due to Brexit.
Will the GDPR still apply to the UK after Brexit?
The short answer: Yes.
The GDPR will continue to apply to the UK regardless of a ‘soft’ of ‘hard’ Brexit. Basically, the GDPR applies to all businesses based in the EU as well as those established outside of the EU when they are providing or offering services to the EU, or when they are processing personal data belonging to EU data subjects.
Therefore, whether you are based in the UK but plan to continue doing business with clients or suppliers in the EU; or you are undertaking projects in EU countries; or you will be processing personal data belonging to EU citizens after Brexit, you will need to maintain your GDPR compliance to avoid liability.
So what do you need to do, as a contractor?
1. Audit your EU à UK personal data flows
In the event of a ‘hard’ or ‘soft’ Brexit, the UK will no longer be automatically able to receive personal data from the EU.
This is because for the purposes of the GDPR, the UK will no longer be a ‘Member State’ and will be dealt with as a “third country”. This means that any business sending personal data to the UK needs to adhere to extra compliance obligations contained in the GDPR, and so do you, as the party receiving it.
Whether you are acting as data-controller, data-processor or even a sub-processor – terms contractors will recognise, you should audit your data flows now to identify whether you are receiving any personal data from 1) the EU or 2) regarding EU citizens.
Doing this audit will help you to identify whether any of your data is at risk and whether any specific actions need to be taken by your business, your business partners, clients or suppliers to ensure that the extra compliance obligations are being met, if you process any personal data in the UK coming from the EU. Even if you don’t, it is still wise to ensure you have a back-up plan in place so that you are able to quickly comply should your client need you to do so.
Meanwhile, there are special rules which will apply for UK à US personal data transfers which rely on the ‘Privacy Shield’ certification – if you have identified these in your audit, then read on.
2. Double Check any Privacy Shield Certifications
If you are sending any EU personal data from the UK to the US (which can even be by saving your data on a server hosted in the US or using SaaS or cloud based products, like your CRM system which are hosted in the US), and your supplier or business partner or client is relying on the EU-US Privacy Shield Framework, then you need to check that your US-based business partners have updated their Privacy Shield commitments (in accordance with the US government privacy shield guidance).
If they haven’t done so, then they will no longer be able to receive personal data from the UK – meaning that your transfers would not be GDPR-compliant.
The latest date for your US-based business partners to do this would be as of the withdrawal date in the event of a ‘no-deal’ outcome between the UK and EU, or subject to the transitional period requirements if a deal is agreed.
3. Consider appointing an EU-based representative
As the UK will be considered as a ‘third country’ post-Brexit, you will need to adhere to Article 27 of the GDPR and appoint a representative situated in an EU Member State, which is compulsory to enable you to ensure GDPR-compliance if you continue to offer goods and service to the EU or if you carry behaviour monitoring (such as online analytics) on EU residents after the withdrawal.
Your ‘representative’ must be an individual or an entity which must have a business or personal residence in the EU and, similarly, when you are deciding where to appoint your representative, they need to reside in one of the Member States in which your data subjects are located. Furthermore, recent guidance from the European Data Protection Board states that your representative cannot also be your external Data Protection Officer, as this could create a conflict of interests.
There may be certain situations in which you do not need to appoint a representative. For example, where you only process personal data occasionally or don’t carry out large-scale processing or don’t process sensitive personal data or personal data relating to criminal convictions or offences and your processing activities are unlikely to result in a risk to the rights and freedoms of data subjects.
If you have any doubt about whether you need to appoint an EU representative, it is worth seeking independent legal advice as this can save a lot of time, stress (and money) later down the line.
4. Ensure that your contracts are up-to-date
If you are processing personal data in the UK which you have received from the EU or which relates to EU data subjects, then you need to make sure that your contracts are up to scratch.
Firstly, you need to make sure that you have entered into GDPR-compliant Data Processing Agreements (DPAs), in the event that your personal data processing practices with other parties constitutes a controller-processor relationship with clauses that are adapted to the UK’s new status post-Brexit.
Secondly, when the UK is a ‘third country,’ you will need to enter into the Standard Contractual Clauses (SCCs) with your contractual partners. The SCCs are a standard set of contractual clauses which been issued by the European Commission. The SCCs should be included in all of your agreements going forward or issued to all of your clients and suppliers as they are one of the easiest ways to ensure that you can receive EU personal data in the most compliant way, as entering into the SCCs fulfils the extra compliance obligations in the GDPR for third-country transfers, provided that they are properly completed. It is worth noting that the SCCs have not been updated by the European Commission since the pre-GDPR days, so it is important to keep monitoring compliance to check whether any changes will be made or a new version issued.
Thirdly, if you do have to appoint an EU-based representative as set out above at point 3, the GDPR states that this needs to be done in writing. This means you should ensure the appointment is done via a properly drafted contract which sets out the scope of the appointment, the key obligations and liabilities.
Finally, you should conduct a general overview of the data protection clauses in all of your contracts to make sure that they are up-to-date with the UK’s post-Brexit status as a ‘third country’ and to double-check that that there are no inconsistencies with your DPAs or any of the processing information you have included in the SCCs.
5. Keep an eye on the latest developments
There is much uncertainty generally with Brexit and it seems that we are getting new information every day. The overall position regarding the UK and GDPR will depend on whether the UK leaves the EU with a deal or not, and if so, what the terms of that deal and any transitional arrangements are.
This piece can only therefore set out the current best-practice, to assist you in making sure that you are as ready as possible for when the small print is settled. So I urge you to keep an eye on developments so that you can update your practices swiftly, with confidence and in accordance with any new guidance. There are fairly pain-free ways to do this, such as by checking out our own website’s ‘insights’ or ‘blog’ pages, but pace yourself because the days, negotiations and wrangling between now and the milestone dates, whether it’s June 1st or October 31st, could be anything but!