In order to identify whether and how Brexit will impact processing activities in your company, there are several questions that should be asked. Two relevant scenarios exist, depending on where your organisation is based. They are discussed separately in what follows.
2.1. First scenario: you are a company in the EEA
If you are a company established in the EEA, you should ask yourself the following questions as first step in identifying the processing activities that are impacted by Brexit:
- Do you target customers/data subjects in the UK?
- Do you have an establishment in the UK?
- Do you have processors in the UK?
- Do you transfer personal data or do you make personal data located in the EEA accessible to any third party (other than processors) in the UK?
These questions are important because they will define whether your processing activities are affected by Brexit or not.
There are two major outcomes:
- If you answer to all above questions is no, then likely Brexit will not have no impact on your day-to-day company, since there are no significant ties between you and the UK.
- If, however, your company had to answer yes to any of the above questions, Brexit will likely have a significant impact and you will need to have a closer look at the processing activities that include data transfers from or to the UK.
If you have found that Brexit has an impact on your business, your record of processing activities, which you are required to keep under the GDPR, should be a good starting point for identifying the relevant activities. Depending on the quality of the record and your role as a company, you may need to expand upon this by having an internal compliance trajectory to identify all incoming and outgoing data from and to the UK and to take all necessary measures to deal with Brexit.
If you answered yes to the first question (and only the first question):
- Since this transfer of data would not involve a transfer within the meaning of the GDPR outside the EEA, it does not raise GDPR concerns as such.
- However, such a transfer may raise concerns under future UK national data protection law, which will be adopted following Brexit and may lead to requirements for you to continue doing company with customers in the UK.
- Thus, the impact of Brexit on your company might still be limited, but this will depend on the stance the UK will take on UK to EEA transfers and the direct targeting of UK customers/data subjects by EEA companies.
- Not only transfer rules may be relevant, but moreover the application of the whole UK national law, if the UK retains a similar principle regarding the territorial scope as set forth in Article 3(2) GDPR.
If you have an establishment in the UK, rather than customers only:
- UK national law will apply to your establishment.
- The GDPR will still apply to you, and presumably to many processing activities of the UK establishment as well, if connected to the activities in the EEA.
- In addition, it can be assumed that data will be shared between the establishment in the EEA and the establishment in the UK, and thus transfers to the UK will need to be covered by a transfer mechanism under the GDPR.
- Conversely, transfers to the EEA will be subject to the UK’s national law and any requirements that may be imposed there.
Irrespective of whether you have an establishment in the UK:
- Companies or organisations using processors in the UK or otherwise transferring data to UK-based companies or organisations will need to cover this with a transfer mechanism under the GDPR.
- Moreover, contracts between EEA controllers and UK processors will need to be updated as well to provide for the transfer mechanism used and to adapt any other contractual language to continue to comply with Article 28 GDPR.
Another topic to consider is whether there is any possibility for an onward transfer to the UK of personal data coming from your company:
- This could, for example, be the case when your processor uses a UK data centre or company as a sub-processor. You may have allowed this in the past, but now that the UK will become a third country, such a transfer can only be made on your documented instructions, even if you gave a specific authorization in the past to use the UK sub-processor. It may, however, be worthwhile verifying that your processor has understood this, and you may want to rethink whether you want to maintain this authorization for the UK sub-processor. In any case, you need to ensure that a proper data transfer mechanism is in place for such transfers. As a controller, you will want to exert a decisive influence on how this is done.
- Conversely, if you are a processor for your main company activities and you want to continue using a UK company as a sub-processor you will have to obtain specific documented instructions and an authorization by the controller to do so. Moreover, you will have to agree with the controller on an appropriate transfer mechanism.
2.2. Second scenario: you are a UK-based company
If you are a UK-based company, you can use the following questions to identify which processing operations will need specific attention following Brexit:
- Do we have any contacts or customers in the European Economic Area (EU + Liechtenstein, Iceland and Norway)?
- Do we receive data from the EEA?
- Do we have a presence in the EEA or do we directly target customers/data subjects in the EEA market (or parts of that market)?
The impact of Brexit will again vary depending on the answer to those questions.
There are again two major outcomes:
- If you answered no to all questions above, Brexit will not have a significant impact, other than the applicable law becoming UK national law rather than the GDPR. Your best strategy is to be GDPR compliant now, since the UK has committed to maintaining the GDPR’s high standards after Brexit and implementing this into UK national law.
- If however, your company had to answer yes to any of the above questions, Brexit will have a significant impact and you will need to have a closer look at the processing activities that include personal data transfers from (and to) the EEA.
Your record of processing activities, which you are currently required to keep under the GDPR, should be a good starting point for this. Depending on the quality of the record and your role as a company, you may need to expand upon this by having an internal compliance trajectory to identify all incoming data from the EEA and to take all necessary measures to deal with Brexit.
If you have a presence in the EEA or directly target the EEA market (or parts of that market):
- You will need to comply with both the GDPR and the UK national law after Brexit.
- Any data received from the EEA (e.g. from an operational branch) will need to be covered by a data transfer mechanism.
- If you target the EEA market but do not have a presence (establishment) in the EEA market you will have to appoint a representative.
- Whether you target the EEA market will depend on the situation at hand. The mere accessibility of your website or contact details does not suffice, but if your website is built to also serve customers in the EEA (e.g. by offering different currencies and languages, providing information on shipping to the EEA countries etc.), the GDPR may continue to apply directly and in full. Those processing activities that relate to that service offering and all processors involved will need to be in full compliance with the GDPR.
Even if you have no presence in the EEA and do not directly target natural persons in the EEA market:
- You may still receive personal data from the EEA for other reasons. This could be because you are a processor for EEA clients or because you are a UK company aimed at the UK market which nonetheless sometimes receives data from a sporadic EEA customer or sometimes carries out some orders for EEA companies.
- Many other reasons exist for having some data flows from the EEA to the UK, without having a real establishment in the EEA or targeting the EEA market directly.
In those circumstances, you will need to ensure that any information you receive is covered by mechanism for transferring personal data outside the EEA as covered in Articles 44 and following of the GDPR. Please note however, that Article 49 GDPR contains some derogations for specific situations.
Depending on your situation, standard contractual clauses may be the only solution. Guidance on these can be found on the Information Commissioner’s Office’s website: https://ico.org.uk/for-organisations/data-protection-and-brexit/keep-data-flowing-from-the-eea-to-the-uk-interactive-tool/. These clauses are currently being re-written by the European Commission to be up-to-date under the GDPR and more easily applicable in practice, making them an attractive option for the future in any case.
In addition, irrespective of whether you have a presence in the EEA or directly target the EEA market (or parts of that market):
- You may need to adapt your contracts. If, for example, you are a UK processor for an EEA controller, your processing agreement under Article 28 GDPR, which the EEA controller will still need to have with you, will need to be adapted so as to include the initial transfer outside the EEA to the UK, and to specify the transfer mechanism that is used to justify such a transfer (e.g. standard contractual clauses).
- Transfers of personal data from the UK to the EEA may also become subject to requirements under the UK national law that will be introduced post-Brexit, which may further complicate the situation.
In conclusion, in order to identify processing activities that are impacted by Brexit, you must identify those processing activities that involve a transfer of personal data to the UK. This can be done by:
- Answering the questions above; and
- Consulting your record of processing activities; and
- Gathering further information internally or externally if needed.
This article is part 2 of a serie of 6 articles about Brexit:
- Do I have to take into account the GDPR after Brexit?
- How to identify whether your processing activities are impacted by Brexit?
- Which personal data transfer mechanisms can you use?
- How to implement a personal data transfer mechanism?
- Which supervisory authority is competent after Brexit?