The UK Government’s prognosis on a No Deal Brexit was released on Tuesday, 11th September at 10pm in the Yellowhammer report. While presenting a stark warning about the consequences of a No Deal exit, a key element identified by the Department for Digital, Culture, Media and Sport (DCMS) at Point 9 of the “Key planning assumptions” states that the “EU will not have made a data decision with regards to the UK before exit. This will disrupt the flow of personal data from the EU where an alternative legal basis for a transfer is not in place. In a no deal scenario, an adequacy assessment could take years.”
An adequacy decision is determined by the European Commission under Article 45 of the GDPR. Under this Article, the European Commission determines if a third country outside the EU offers adequate levels of data protection. Such a decision involves a series of steps including a proposal from the European Commission, an opinion of the European Data Protection Board, an approval from representatives of EU countries and the adoption of the decision by the European Commission. The effect of such a decision is that personal data can flow from the EU to that Third Country without any further safeguard being necessary.
In the event of a No Deal Brexit, the UK will need to be recognized by the EU as having an adequate level of data protection and whilst this should be the case, it may take some time to be established and confirmed. In the meantime, it will severely undermine the transfer of data between the EU and the UK. This will greatly affect areas such as Healthcare, Security and Finance, which all rely heavily on personal data.
One of the solutions to such a matter could be for UK based companies to set up and register an affiliated company in the EU. This would allow companies to take advantage of the Binding Corporate Rules (BCRs) which reflect data protection policies adhered to by companies established in the EU for transfers of personal data outside the EU within a group of undertakings or enterprises. Such rules must include all general data protection principles and enforceable rights to ensure appropriate safeguards for data transfers. They must be legally binding and enforced by every member of the group. Companies must submit binding corporate rules for approval to the competent data protection authority in the EU. The authority will approve the BCRs in accordance with the consistency mechanism set out in Article 63 of the GDPR.
Companies in the UK will also need to designate an EEA Representative and this will mean registering an EU address for that GDPR representative. This is so that the EU address will act as the point of contact for communications received from EU-based data subjects in relation to data subject rights requests and other general GDPR-related enquiries. The EU address will also act as a point of contact for communications received from EU supervisory authorities; and keep a record of processing activities and make them available to the data protection authorities upon request.
Furthermore, for small and medium businesses and the facilitation of the free flow of data, Standard Contractual Clauses (SCCs) have to be put in place. SCCs are standard sets of contractual terms and conditions which the sender and the receiver of the personal data both sign up to. They include contractual obligations which help to protect personal data when it leaves the EEA and the protection of GDPR.
Our legal team at W Legal Ltd is well placed to assist you in preparing for these scenarios and to address the hurdles that are likely to arise. Please do contact either Elliot Shear; David Ellis, Raphael Uribe or any other member of the W Legal team for further information on: elliot.shear@wlegal.co.uk david.ellis@wlegal.co.uk raphael.uribe@wlegal.co.uk or alternatively calls us on 020 7220 9130.