This site uses cookies to provide you with a more responsive and personalised service. By using this site you agree to our use of cookies. Please read our PRIVACY POLICY for more information on the cookies we use and how to delete or block them.
Home > Services > BREXIT > Data protection

Data Protection

 

Are you on top of your third-party data transfer exposure?

 UK-based organisations have a lot to think about, given the global pandemic, fears of a double-dip recession and Brexit fast approaching. It’s not surprising therefore that addressing data protection concerns – particularly around third-party personal data transfer – might not be top of the ‘to do’ list. However, it is important that UK-based organisations understand their responsibilities in this area, as potential financial and reputational sanctions could otherwise lie ahead.

There have significant developments in recent weeks, but the story starts back in July 2020 with the European Court of Justice’s decision to invalidate the EU-US Privacy Shield. This had the interesting by-product of calling into question the continued use of Standard Contractual Clauses (SCCs) for any personal data transfer outside of the EU.

The decision left organisations confused about how they would be able to transfer information legally in future. For entities based in the UK (and Europe), SCCs had been deemed a quick fix to ensure that personal information could be transferred internationally outside of the EU. Suddenly they were being told this potentially was no longer the case – unless an ‘assessment’ of the recipient country was completed in order to justify the continued use of the SCCs. The assessment would involve ensuring the jurisdiction had sufficient protections under EU law when personal data was sent there.

Brexit proceedings have added additional uncertainty. As it currently stands, the UK is waiting on the decision of the European Commission to grant the UK ‘adequacy’ from a data protection perspective. The award of this adequacy status would mean that the free flow of personal data between the UK and the EU can continue without safeguards being required. The likelihood of the adequacy decision being granted by the end of the transitional period on 31 December 2020 is extremely low. Therefore, on 1 January 2021, the UK will be deemed a third country from a data protection perspective in the eyes of the EU.

All these developments have the following repercussions for UK entities: 

  1. They can continue to use the SCCs (see reference to redrafted SCCs below) as an acceptable safeguard for any exposure to international personal data transfer, but an assessment must be completed.
  2. From a Brexit standpoint, UK organisations need to consider where they have exposure to personal data transfer coming from any jurisdictions inside the EU. Although the UK can continue to transfer personal data into the EU, until the UK receives the adequacy decision, any personal data transfer from the EU into the UK will need to be safeguarded against.

 

Recent developments

Fast forward to December 2020 and there have been a couple of developments primarily as a result of the decision to invalidate the EU-US Privacy Shield. UK companies are affected in the scenario of not only personal data transfer to or from a third country outside of the EU, but also any personal data transfer coming directly from the EU into the UK.

In November 2020, the European Data Protection Board issued recommendations on supplementary measures that an organisation needs to consider when undertaking an assessment of a jurisdiction. The guidance can be broken down into a number of steps as follows:

Step 1. Identify your international personal data transfer exposure and ensure that a transfer mechanism has been selected.

Step 2. Investigate and assess whether the third-party jurisdiction has sufficient non-EEA protections in place i.e. that there is nothing that would stop the organisation using the transfer mechanism that has been selected.

Step 3. If required, identify and adopt the supplementary measures in order to bring the level of protection of the third country up to the standards expected by the EU. These could be technical safeguards, contractual safeguards or organisational measures.

Another recent development affects the SCCs. As a result of the decision to invalidate the EU-US Privacy Shield, the SCCs have been redrafted to take account of the weaknesses identified during the judgement. The new versions incorporate stronger safeguards for personal data transfers into contracts.

 

Action now

The assessment guidance and redrafted SCCs remain open for comment until 21 December 2020. However, UK organisations can begin preparatory action to ensure ongoing compliance with data protection law and the ability to continue the legal transfer of personal data.

Until the guidance and redrafted SCCs are confirmed, here are our recommendations for immediate action: 

  • Fully understand your personal data flows across the organisation
  • Identify which data flows brings an exposure to international personal data transfer
  • Conclude on the transfer mechanism to be relied on for each transfer
  • Identify where potentially an assessment and/or contractual changes will need to be made.

The legal landscape around data transfer is complex. It is extremely important for any UK-based organisation to identify where it is exposed and draw up a roadmap to address the associated risks. The Information Commissioner’s Office, as the UK regulator, will expect organisations to be on top of their compliance responsibilities.

Please do get in contact me if you would like to find out more on this subject or to have a more detailed discussion about how your organisation could be affected.

Source: BDO UK

Up next:
Janis Zelmenis, LL.M., Managing Partner. Attorney at Law
Janis Zelmenis
Managing Partner. Attorney at Law
LL.M.
BDO Latvia