by Travers Smith LLP | 2nd December 2019 1:25 pm
One of the biggest impacts which Brexit may have on UK organisations from an operational point of view, is on their ability to continue to process personal data about European Union (EU) citizens once the UK leaves the EU. This is the second of two briefings in which we continue to explore the implications of Brexit for UK organisations which process personal data, and their ongoing compliance with data protection law.
In this briefing, we consider how UK businesses conducting cross-border trading in the EU will be affected by the General Data Protection Regulation (2016/679) (GDPR) as it applies in the EU (and the EEA, by virtue of incorporation of GDPR into the EEA Agreement), when the UK becomes a third country following Brexit and, in particular, how they will need to:
adjust to having a new data protection regulator in place of the ICO (in respect of their EU activities); and
appoint a representative in the EU.
The first point will not come as a surprise – businesses trading overseas, particularly when consumer facing, regularly need to decide how far to mould their trading operations around complying with local law to the letter, or whether to take the risk of a “one size fits all” approach, which is already the case with GDPR. The second point will be new to UK businesses. In this briefing, we aim to not only inform you of the issues, but also draw your attention to the practical steps you should think about now.
As we saw in our first briefing, upon Brexit, GDPR will continue to apply in the UK to the processing of personal data about UK data subjects. But following B(rexit)-Day, the UK will cease to be a member of the EU, and it will become a “third country” (i.e. a country outside of the European Economic Area) for EU purposes. As such, how UK businesses have to comply with GDPR as it applies in the EU raises issues which are additional to those faced in complying with GDPR as it is applied in the UK.
Following B-Day, in addition to complying with GDPR in domestic law, UK businesses will need to comply with GDPR as it applies in the EU, if:
they have an establishment within the EU and process personal data in the context of the activites of that establishment; or
without having an establishment in the EU, they process personal data of data subjects who are in the EU and the processing activities are related to the:
No more “One Stop Shop”?
However, Brexit has thrown a spanner in the works when it comes to coordinating EU operations via the “one stop shop” (OSS) principle, which would normally have been a handy way of dealing with deviances in approach to data protection amongst the Member States.
Currently under the GDPR, UK businesses can benefit from the OSS principle, which allows a single data protection authority (usually the ICO for UK businesses) to be designated as the lead supervisory authority (LSA) for organisations, provided that they can demonstrate that they have a “main establishment” (or “single establishment”) in that jurisdiction (see box below for further details). The LSA for a business becomes the sole interlocutor for cross-border processing issues.
UK businesses that currently benefit from this mechanism are able to use their LSA to coordinate actions and complaints regarding cross-border processing (e.g. a complaint originating in France or Germany), with the help of other “concerned DPAs” (i.e. other data protection authorities in Member States affected by the processing).
The difficulty for many UK businesses is that, following B-Day when the UK becomes a third country, the ICO can no longer be the LSA. It follows that unless UK businesses can demonstrate otherwise or structure their operations accordingly, their main establishment (as defined in the GDPR and explained in European Data Protection Board (EDPB) guidelines) will be in the UK, not in the EU. Therefore, they will no longer be able to benefit from having a LSA in the EU or from the OSS principle in general. Instead they will have to deal with the supervisory authorities in each relevant Member State.
Unfortunately, without an establishment which can clearly be shown to be a “main” or “single” establishment, or indeed without any physical presence in the EU, businesses must deal with each supervisory authority in each Member State in which they are active, so it would be prudent to ensure you are familiar with the reach of your operations from a GDPR perspective.
Representatives of controllers and processors based in “third countries”
Even if a UK business has no establishment within the EU, the GDPR can still, in the instances set out at the beginning of this briefing, apply. However, a new requirement for such businesses (and indeed any business outside the EU to which GDPR applies by virtue of its extra territorial effect and which to date has relied on an EU representative based in the UK) is that they will have to appoint a representative in the EU, in one of the countries where affected EU citizens live.
The representative will be the primary point of contact for UK businesses for cooperating and communicating effectively with supervisory authorities and data subjects on issues of data processing, for the purposes of ensuring compliance with the organisation’s obligations under the GDPR and must be authorised by the business to be addressed in addition to, or instead of, that business. Consequently, you should only appoint someone you would trust to pass on communications to you promptly – traditionally businesses have appointed a fellow group company in comparable situations, but this won’t be feasible for everyone.
Failure to appoint a representative pursuant to GDPR could result in a fine up to the greater of €10 million or 2% of global turnover, so this should definitely make it onto the list of Brexit action points for UK businesses.
So, what should you do to prepare?
UK businesses to which the GDPR applies should consider the following steps in preparation for Brexit:
Check for material variances in interpretation of the GDPR in those Member States where your data subjects reside (for example, variances in data breach notification requirements or requirements to appoint a data protection officer), to avoid the risk of falling foul of EU practices or interpretations which differ from those of the UK. Any such variances should be worked into a business’ internal response and privacy policies.
Consider if you are still able to benefit from the OSS principle/consider whether this is something which is particularly desirable for your business. If it is, and to the extent that you are able to influence the situation, do you have a particular LSA in mind? In order to benefit, you’ll need to show that you have a “main” or “single” establishment in the particular Member State of the LSA. See box for further details.
Appoint an EU representative if you do not have an establishment in the EU – and update your privacy policies/data collection notices with this information.
The original article was posted here: https://www.traverssmith.com/knowledge/knowledge-container/brexit-your-business-and-data-processing-european-personal-data/
Source URL: https://www.gdpr.associates/brexit-your-business-and-data-processing-european-personal-data/
Copyright ©2020 GDPR Associates unless otherwise noted.