Brexit will soon be upon us, and the exit conditions of the United Kingdom are still as uncertain as they were two years ago. After an exit that was planned a while ago on March 29th, 2019, the UK delayed the date to April 12th, and now, the journalists even talk about a Brexit happening on June 30th. In any case, everyone knows that the UK is supposed to leave the European Union, but no one knows when it will happen. Even if this delay is not necessarily a good thing for the blood pressure of the British citizens, the European companies can take advantage of this situation to put their affairs in order.
Everyone knows that the European regulation on data protection (the GDPR) caused a wave of panic for the companies that had to ensure compliance before May 25th, 2018. Very few companies were compliant when the regulation came into effect, so they had to get back into line as quickly as they could. Some of them thought that they were done with ensuring compliance, but because of Brexit, they will probably have to ask the DPO to come back to work full-time for a while. Indeed, if your data was already transferred to the United Kingdom, changes are required. If you did not do it yet, it’s time for you initiate action and take advantage of the political indecision of English leaders to think about a strategy to bring the data back into the EU.
Things were better before…
When the United Kingdom was still a member of the European Union, everything was easier regarding the GDPR.
Reminder of the rules: a company can transfer data to any member State of the EU. That’s the rule given by the GDPR, which does not impose any administrative restriction as long as the data does not leave the European territory. Consequently, maybe some European companies transferred some data to the UK because they have subsidiaries there or because the data is contained within a data center in that country.
However, this “free” transfer will no longer be possible in the near future. When Brexit will be definitive, the data will be considered as transferred outside the European territory, so the company takes the risk of getting a fine up to €20 million or 4% of the total worldwide annual turnover for failure to comply with the GDPR.
Nevertheless, maybe the situation will not be so catastrophic for the companies, on condition that the English and European political leaders do their bit to negotiate an exit deal. Therefore, there are two possibilities regarding the exit of the United Kingdom, each one of them having different consequences for the companies.
First possibility: the ideal scenario (but don’t get your hopes up)
This situation would be perfect for the companies, because it would imply that the United Kingdom signed an “adequacy decision” with the European Union before leaving. This agreement would make sure there is an adequate level of protection regarding people’s personal data if it is to be transferred across the Channel.
No formality is required in this scenario, and the companies wouldn’t have to bring their data back into the EU.
In brief, the companies wouldn’t have to do anything, and they could keep on storing their data in the UK.
Eventually, this scenario could happen because the United Kingdom meets the three necessary requirements to sign an adequacy decision:
- The UK respects human rights and fundamental freedoms;
- There already is an independent supervisory authority in the UK;
- There already is a law about the protection of personal data in the UK.
All these criteria are stated by the GDPR. Since the UK already fulfills all of them, an adequacy can eventually be possible.
But get down off your cloud, this scenario will (probably) not happen. Considering the huge mess of the negotiations, the GDPR will certainly not be Theresa May’s top priority. The negotiations have been at a standstill for over two years with the European institutions (along with the UK institutions), so it would be a miracle if a Brexit deal was reached just a few days before the exit.
Because of this, be ready for the second scenario…
Second possibility: the panic scenario for the companies (the most likely to happen)
It’s the worst scenario, which is probably going to happen. If the United Kingdom leaves the European Union without reaching a deal with the institutions, the GDPR will stop being enforceable overnight on the other side of the Channel.
The country will be considered as a third-country, so any transfer of personal data will be forbidden. If the companies do not think ahead this scenario, they take the risk of getting administrative penalties stated by the GDPR, which can be very damaging for the company’s image and turnover.
In order to continue this transfer without being sanctioned, extensive formal requirements must be fulfilled. Indeed, the transfer will have to be subject to “appropriate safeguards”. More precisely, the European company must have the English controller or processor sign a contract binding them to comply with the protection of personal data. Also, a code of conduct must be approved by the data recipient within the third-country to guarantee the processing of personal data.
In short, these are additional administrative restrictions for a company. If the code of conduct is not respected or that the contract signed with the data recipient does not mention an essential clause, the transfer will be considered as unauthorized. The penalties are the same as mentioned above.
If I want to continue to transfer some data to my subsidiaries, what’s the damage?
Even if the data is transferred to an English subsidiary, the explanations given in this article still apply. However, the transfer procedure will be different.
Indeed, the company must impose BCR (“binding corporate rules”). These are rules are meant for the subsidiary, binding it to process data in compliance with the GDPR. Extensive obligations will be imposed to the subsidiaries, so they will probably dislike the internal changes caused by the European regulation.
If the subsidiary fails to comply with these rules, the European company can be sanctioned by the supervisory authority.
Consequently, the companies have to make sure that the subsidiaries located in the United Kingdom comply with the BCR.
In short, don’t expect miracles
The companies better anticipate the situation if they do not want to be in an awkward position.
If the data is stored on a server located in the UK, it is strongly advised that you find an alternative solution to transfer them to another member State of the European Union. Also, if the companies resort to a processor located in the UK, they should find another European provider to provide the same services.
Of course, they can continue to store the data within the UK and provide adequate safeguards, but this option is risky when there are alternatives within the EU that will be less complicated to implement.
If all these procedures seem tedious or impossible to carry out, don’t worry! The Ziwit Academy will answer all of your questions on the subject if you want to attend our GDPR training.