Over time, the personal data impacts of the United Kingdom (UK) leaving the European Union (EU) will be revealed. The scope of any free trade deal that addresses data protection will set the scene for immediate and long-term personal data flows. In the short to medium term, any adequacy decision will minimise costs and disruption to companies and organisations. The impact of the Court of Justice of the European Union’s Schrems II decision on Privacy Shield, as it applies to the UK, will also become clearer as decisions are made. The future will include new European Commission data protection Standard Contractual Clauses (SCCs) for personal data transfers to non-EU countries. It is likely that the UK Information Commissioner’s Office (ICO) could seek to adopt its own international personal data transfer mechanisms and arrangements over time. It is important for companies and organisations to be strategic, measured and deliberate in choosing the way forward.
Strengthen long-term Data Protection Strategy
Companies and organisations should be very clear about their ongoing data protection strategy. For UK companies with limited EU / European Economic Area (EEA) and foreign operations, they must decide their level of proximity to the EU’s General Data Protection Regulation (GDPR) or adopt a more flexible ad hoc approach to anticipate changes to UK data protection laws. For EU and EEA companies and organisations that do business or offer services to UK customers, they must decide and confirm which data protection standard will be their baseline. They must decide the level of deviation that they will permit while accommodating emerging UK data protection norms while staying true to EU GDPR. International companies and organisations must decide on the level of exceptionalism that their data governance programmes will allow for the UK. They should decide whether the UK will be treated as a default EU member state for GDPR purposes and be held to evolving EU data protection standards, despite changes to their domestic or the UK data protection regimes.
Engage with key suppliers and high risk high value contracts
It is important that companies and organisations create and maintain clear channels of communication with their extended supply chains to coordinate their future approaches to data protection. Contracts should be reviewed to ensure that terms which directly or indirectly rely on the UK’s membership of the EU should be reviewed and updated. Key definitions for “applicable data protection law” and many other EU / EEA-centric information should be reviewed to reflect the new realities. Standard Contractual Clauses (SCCs) should be considered for large scale and high risk EU / EEA to UK data transfers.
Monitor as the UK becomes an international data adequacy deal maker
The European Union fiercely protects its allocation of data protection adequacy decisions to countries outside the European Union. The UK is fast becoming a broker in the expansion and allocation of data protection adequacy, beyond the EU’s direct remit. Most of the countries included on the EU’s data protection adequacy list have declared that the UK has data protection adequacy. This includes the larger economies like Switzerland, Argentina, Israel and Canada. Japan and the UK have agreed mutual data protection adequacy, which is linked to a new free trade deal. In time, it is likely that the UK and the USA will come to an arrangement on broad data protection adequacy or create a mutual Privacy Shield-type arrangement to accommodate their future economic relationship. Companies and organisations should watch these developments, constantly assess personal data risks, analyse the longer term effects of the Schrems II decision and evaluate the proximity of new adequacy arrangements to EU GDPR.
Get value from EU Data Protection Representatives
Companies and organisations should use the end of the UK ICO’s role as an EU Supervisory Authority under GDPR as an opportunity for strategic thinking about their EU / EEA GDPR exposure. Data Protection Representatives should be appointed within the EU not just to comply with Article 27 of the GDPR, but to stay connected to EU / EEA customers and users, monitor the work and priorities of other EU based Supervisory Authorities and monitor key policy changes taking place in Brussels. EU Representatives should represent non-EU based (and UK) companies and organisations from within the EU, but also feedback to UK and international companies useful insights, trends, strategic positioning and information about enforcement priorities.
Interact with and educate Users and Consumers
Companies and organisations should take the opportunity to update the places where they meet their users, transact with customers and provide information to them. This includes data protection policies and procedures, data protection notices, information security protocols, websites, publications, social media and staff training initiatives. GDPR Records of Processing Activities (ROPAs) should be updated to maintain transparency and accountability. Supply chains, consumers and users should not be surprised on 1 January 2021 with the sudden impacts of the end of the Brexit transition period, but should steadily receive information and guidance so that practical and strategic choices can be made by all parties.