Brexit or not: new EU data protection rules
- Security Risk Management
- Ethics, Compliance and Governance
Brexit or not, new EU data protection rules affect companies in the UK
With an increasing number of companies at risk from data breaches, compliance with data protection legislation is a growing issue. As the United Kingdom prepares to vote in the June 23 referendum on European Union membership, companies with operations in the UK should ensure they are aware of the potential consequences for compliance, particularly with regard to the new EU General Data Protection Regulation (GDPR).
Remaining in the EU
If the UK remains in the EU, companies will be expected to automatically comply with the EU’s GDPR when it comes into force in spring 2018. Companies with operations in the UK therefore have two years to ensure compliance with the new legislation, which contains more stringent rules on companies’ collection, use and storage of personal data.
The GDPR’s key features include:
- Regulations governing the treatment of EU citizens’ data when held outside the EU
- The ‘right to be forgotten’, i.e. for an individual to have information about them removed from search engines’ results
- The right to data portability, i.e. for an individual to be able to move their data from one processing system to another
- New guidelines on active consent
- Regulations governing international transfers of data
- The need for non-EU companies to appoint a representative within the EU to hold responsibility for data compliance
If the UK remains in the EU, companies are advised to take the following preliminary steps:
- Appoint a data protection officer with responsibility for data protection compliance to oversee the transition to the GDPR. The closest existing position to this in the majority of companies is the chief privacy officer. Companies should consider individuals able to advise on legal and technical aspects of GDPR compliance, with experience in producing reports on the treatment of data within the UK and able to represent the company in talks with data protection and supervisory authorities.
- Review, or put in place, breach notification processes to ensure the relevant data protection authority is notified as a matter of course.
- Review global data flows, both internal and external, including those to third party companies; companies will be responsible for ensuring compliance with EU citizens’ data, even when that data is held by third party companies or outside the EU. This means companies should ensure all EU data is treated in line with the GDPR, no matter where it is stored or if it is transferred to any third party.
- Create a compliance strategy for the ‘right to be forgotten’, covering all data collected by the company through any method, and the treatment and storage of that data.
- Review all data processing activities to identify the basis of these activities and to ensure their compliance with the GDPR.
- Examine the basis of consent, to bring the ways in which the company seeks and verifies customers’ and clients’ consent in line with the GDPR.
Companies are strongly advised to review the full text of the GDPR, with representatives from all departments, to ensure full compliance. If companies fail to comply, they may face fines of up to EUR 20m or 4% of annual turnover.
If a company falls victim to a data breach, it will be required to report this to the relevant regulatory authority, and may be required to provide guarantees of wider compliance with the GDPR. The legal costs of non-compliance would therefore add additional reputational, administrative and financial burdens to companies already undergoing lengthy declaration processes.
Leaving the EU
If the UK chooses to leave the EU, it is unlikely to implement legislation in line with the GDPR. Companies operating solely in the UK with UK customers, and storing data only in the UK, would therefore be unlikely to have to implement significant changes in their data protection processes. However, companies also operating within the EU would still have to ensure compliance with the GDPR for the data of their EU customers, and should therefore consider taking the steps outlined above.
On leaving the EU, the UK would have a number of options to ensure compliance with EU regulations:
- The UK could seek ‘adequate jurisdiction’ status – currently held by a number of countries, including Canada, Israel, Switzerland and Uruguay – implying that the UK’s laws provide ‘essential equivalence’ regarding data protection.
- The UK could alternatively seek European Free Trade Association (EFTA) or European Economic Area (EEA) membership, implying that the UK has legislation in line with the GDPR, will implement the GDPR, or will provide additional guarantees of essential equivalence.
- It is most likely that the UK would seek an agreement to govern data transfers using the model of the EU-US Privacy Shield. Under this model, companies would be required to ensure EU customers’ and clients’ data is treated in line with GDPR regulations.
Whether the UK votes to remain in the EU or to leave, it is likely that there will be a period of time in which companies have to rely on Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs) - the EU’s legal mechanisms for data transfers. In entering into these agreements, companies will be required to treat EU citizens’ data in line with the GDPR, following the conditions outlined above, as well as complying with any legal obligations within the boundaries of the SCCs and BCRs.
In such cases, companies should be aware of the following:
- Companies will be required to treat EU citizens’ data in line with the GDPR. This will mean taking the same measures that will be required if the UK remains in the EU. Companies should refer to the guidance above on GDPR compliance, which will not apply to UK citizens’ data.
- Companies will be required to hold premises within the EU that are responsible and accountable for the treatment of EU data. This will entail designating an office within the EU as the company’s primary office. This office will report to the supervisory authority of the country in which it is based on behalf of the entire company, as that company’s primary authority.
- Companies will have to have legal alternatives to the GDPR in place to prevent disruption of services. The EU has already issued two sets of model SCCs, which may be used verbatim if needed; however, any necessary changes must be approved by the relevant EU member state’s data protection authority. Companies should work with their legal department to ensure both SCCs and BCRs comply with EU law.
Whichever route the UK takes, UK companies should consider taking the following steps:
- Review the text and requirements of the GDPR to implement a holistic strategy, in line with data and legal obligations, to fully prepare for the GDPR’s implementation in spring 2018.
- Assess all data flows within the company, including EU-UK and transatlantic data flows.
- Examine data processing, including the issue of active consent.
- Inspect current requirements for reporting data breaches.
- Consult legal and technical specialists to prepare for any transition period before the GDPR’s full implementation.
- Rose Bernard, Cyber Intelligence Analyst