Data Protection in the UK Post Brexit – 6 Steps to Prepare Your Organisation
If your organisation shares personal data with organisations in the European Economic Area (EEA), you need to comply with data protection laws if the UK leaves the European Union (EU) without a deal. Below, we outline six practical steps your organisation needs to do to prepare for data protection post Brexit.
The end of the transition period is approaching. In January this year, the UK left the EU—we are now in a transitional period, which ends on the 31st of December 2020 and during this crucial time, we are following the Data Protection Act 2018 and the GDPR.
If the United Kingdom and the European Union fail to reach a trade agreement at the end of the transitional period, the UK will be considered a ‘third country.’ This means that there will be no adequacy decision in place and organisations will need to implement an alternative mechanism to ensure the safety of data when making international transfers.
You must also note that if your organisation is compliant with the Data Protection Act and the GDPR—and if you have no customers or contacts within the EU—then you have no action to take. However, if your business receives personal data from customers and clients within the EEA, then you will need to implement further procedures to ensure the data can continue to flow.
If you are a business based in the UK with offices in the EU or customers and clients in the EU, then you will need to be compliant with both the Data Protection Act 2018 and the GDPR and any other EU Data Protection Law.
The best way to be prepared at the end of the transitional period is to ensure that you comply with the Data Protection Act 2018 and the GDPR as the UK will retain its high standard of data protection.
Likewise, if your business is receiving personal data from the EU, then that organisation needs to comply with the relevant data protection laws. You will also need to make sure they are compliant with their local legislation.
Build an action plan for your organisation by following the six steps below. This will not only mean your organisation is prepared and compliant, but you will also have the confidence that the data you manage and process is safe and the reputation of your business is not at risk.
1. Update your data mapping
Data mapping is a key part of the data protection process. The quality of your data mapping is important as this ensures that you know the ‘’where,” “why,” “who,” “how,” and “what’’ of your data processes.
Your data map should be a working document and must be kept up to date with your processing activities. All staff within your organisation should be informed of the data mapping process so that they are able to add the data from their department to this exercise.
A data map will help you to decide if you are a controller or a processor and the most appropriate ‘Lawful Basis’ for the processing activities to conduct. This exercise will also help you have extra security around any special category information.
Conduct or update your existing data map in line with any changes that are happening. This audit should give you a complete life cycle of the data you control or process.
2. Evaluate whether you need Standard Contractual Clauses (SCCs)
To ensure that the data can continue to pass between the UK and the EU, it is recommended that SCCs are put in place between importer and exporter of data, as well as the third parties involved. The SCC reflects the different roles each organisation has with the data, controller, processor, and any other third party.
There are EU-approved terms to help you achieve this—SCCs are contractual terms and conditions which the receiver and sender both agree and sign up to. These terms and conditions help protect the data when it leaves the EEA.
There are different SCCs for you to use depending on your role in the transfer; are you sending the data to an additional controller or are you the controller sending data to a processor? Remember that all data centres are processors.
Assess your data transfers and whether you need SCCs in place and the type of SCC required.
3. Assess if Binding Corporate Rules (BCRs) is the most appropriate route for your business
BCRs allow multinational corporations to transfer personal data from the EEA to their associated companies outside the EEA. Participants of BCRs must show that adequate safeguards are in place to protect the transfer of data throughout the organisational entities.
Having BCRs in place will avoid having to approach every supervisory authority individually. For this you will need to appoint a data protection authority to be a lead authority depending on where your headquarters are within the EU. This representative will coordinate any disputes with the supervisory authority within that country should a data subject raise a dispute. This will need to be stated in the Privacy Policy. The appointed representation should ideally be a lawyer or accountant.
BCRs can be written to incorporate company changes, and various ways data can flow. Data authorities do not need to be informed about company changes, thus making BCRs a flexible tool to allow the data to continue to flow.
Employees handling personal data should also participate in a training and awareness programme. Making sure your employees understand their responsibility in keeping personal data safe and secure is important to prevent data breaches.
Assess if BCR is the most appropriate route for your business. If it is, appoint a data protection authority and ensure you demonstrate that adequate safeguards are in place to protect the transfer of data throughout the organisational entities.
4. Ensure your Privacy Policy is transparent and up to date
When making any changes to the way you control or process data, it must be reflected within your Privacy Policy. This will guarantee that the data subjects you process or control data for are aware of these changes, regardless of the type of change to the data.
A Privacy Policy is your chance to be transparent about the way you control and process data.
Before writing your Privacy policy, you will need to be aware of where all the data that you control or process resides. This should be reflected in your data map as outlined in Step 1. If you haven’t done this yet, you will need to conduct a data mapping exercise.
Within your Privacy Policy, you must ensure that the data subjects are aware of the rights they have over their data that you handle. You can also inform data subjects how you are safeguarding their data, so make sure you tell them if you are using BCRs or SCCs.
Review your existing Privacy Policy and update it with any changes to the way you process or control data.
5. Conduct due diligence on your suppliers
If your organisation relies on third party suppliers to operate, it is your responsibility to ensure their data processing activities satisfy the demands of the DPA 2018 and GDPR. This is a good opportunity to ensure that you have assessed your supplier’s data compliance or carried out annual due diligence checks. This should ensure that the relevant contracts are in place and you are complying with Data Protection laws.
An annual due diligence check should be conducted on suppliers that you transfer data to. These checks should ask in-depth questions based on their Information Security practices. These checks should likewise ensure that relevant contracts are in place, and that you are aware of any onward transfers of the data that you are the controller of.
It is beneficial to have Data Sharing Policies and procedures in place so that your organisation can manage data-sharing decisions. The training of staff who are likely to make these decisions is important to ensure they are informed of their responsibilities.
Conducting this will also loop you back to your data mapping and where the data is being transferred to. Will you need to apply for any extra safeguards, such as SCCs, or are you covered by an adequacy decision? Likewise, could you be covered by any of the exemptions?
It is important to remember that all contracts must take into account the individual rights of the data subjects.
Make a list of all the suppliers that you transfer data to and carry out checks to identify if there are any data protection risks to your business posed by non-compliant suppliers.
6. Conduct necessary Data Protection Impact Assessments (DPIAs)
A DPIA is a vital factor in data protection compliance for any new project or changes you make to an existing procedure. A simple way to identify if a DPIA is necessary is to ask yourself ‘’Am I making any changes to the way the data is processed?’’ If you answer yes then you need to conduct a DPIA, regardless of how small the change is—that change may introduce a risk that wasn’t there previously.
Your DPIA procedure should also be regularly reviewed. The impact assessment is a risk assessment, which if conducted correctly, will incorporate all the required elements of the DPA 2018 & GDPR.
A DPIA is an in-depth risk assessment specific to data and data subjects rights and should be conducted on all projects which involve data.
Identify any new projects involving data within your organisation and any changes to existing procedures. Conduct all necessary DPIAs.
We also have a video series covering these six data protection steps which you can watch here.