BREXIT was scheduled to go ahead on 31st October 2019, but the EU has granted a further extension to 31 January 2020, giving organisations more time to prepare.
Of course, the future is still uncertain with the general election in the UK on 12th December 2019, but we know that many suppliers are being asked by their customers about their preparations for BREXIT. We have explored here the preparation activities that organisations should be considering under GDPR so that suppliers are able to answer their customers with confidence and understanding:
ACTIVITY: DATA TRANSFER MANAGEMENT
Customer Data Processing Agreements
If you are a Supplier (Processor) your Data Processing Agreements with your Customers (Controller) may need to be updated as a result of BREXIT.
In the event of a “no deal” Brexit, the UK will no longer be a member of the EU, and will be considered a “third country”. This could affect your customer agreements because it means that additional safeguards are needed to facilitate a transfer of personal data. For most organisations, SCCs (Standard Contractual Clauses) are the best way to keep data flowing to the UK.
You may be required to obtain consent from your Customer in the event of a transfer to a “third country”. If contractors of the Supplier are now based in a third country (ie. the UK) then these will need to be approved by the Customer along with the proposed transfer mechanism (likely to be SCCs).
Note - if any UK-based Supplier group entity is processing personal data on behalf of the contracting EEA-based Supplier group entity as part of the contract with the Customer, the UK entity should also be identified in the DPA for the Customer’s approval.
Organisations should review their Article 30 (Record of Processing Activities) and identify all customers who might be affected, ensuring the appropriate consents are in place for UK transfers.
Supplier Data Processing Agreements
Transfer arrangements will need to be updated in the following circumstances:
- Transfers to Suppliers, where the organisation is a Controller, for example outsourcing of payroll, HR, marketing activities to a UK based company (Processor)
- Transfers to Suppliers in the UK, where the organisation is itself a Processor, and it transfers personal data to a UK based company (Sub-Processor), for example subcontracting of hosting, delivery and support services.
- document all of their Supplier agreements and ensure that the role of the parties is clear (as Controller, Processor, Sub Processor etc)
- identify the location of suppliers
- identify an owner in the organisation of the Supplier relationship
- confirm that Data Processing Agreements as per Article 28 GDPR are in place with all suppliers
- confirm that technical and organisational measures are documented
- include Standard Contractual Clauses as part of the DPA for UK based suppliers
Intra-Group Data Processing Agreements
Entities who are members of the same group of companies should consider whether BREXIT will have an impact on any intra-group data processing agreements. Entities should already have ensured that the requirements of article 28 are met so that any controller/processor activity between group entities is covered by a Data Processing Agreement. If a group entity is in the UK, the Standard Contractual Clauses may need to be appended to the Intra-Group Data Processing Agreement to facilitate any transfer to and from the UK based group entity.
The GDPR requires the controller to notify data subjects if it intends to transfer personal data to a third country. Some organisations may need to update their Privacy Statements where, as a result of BREXIT, it will be transferring personal data to a third country (the UK), where previously it did not.
Further guidance on the OSS mechanism and LSA is available from the EDPB here
Organisations who are involved in “cross-border processing of personal data” should give some consideration as to whether BREXIT might affect their ability to rely on the “One Stop Shop/OSS” mechanism under the GDPR.
The OSS mechanism allows an organisation to deal with a single lead supervisory authority for most processing activities. A ‘lead supervisory authority’ (LSA) is the authority with the primary responsibility for dealing with a cross-border data processing activity, for example when a data subject makes a complaint about the processing of his or her personal data. Certain organisations who are able to identify a lead supervisory authority and avail of the OSS mechanism can benefit from significantly lessened administrative burdens.
If your Lead Supervisory Authority was the ICO in the UK and/or your DPO is based in a UK group entity, this structure should be given some consideration in light of BREXIT. If the DPO and exercise of central administration and decision making is in the UK, there may not be much that the organisation can do to change that. However, it should be something that the organisation reviews and documents as part of their risk register where the loss of access to the OSS mechanism could have repercussions for the organisation.
ACTIVITY: CUSTOMER COMMUNICATIONS
If you are getting a lot of questions about BREXIT from your customers, you might wish to send out a customer focused communication summarising the activities that you are undertaking to prepare for BREXIT. This will help to show that you understand the implications of BREXIT and you have everything under control…because, of course, you do!
Irish Data Protection Commission - https://www.dataprotection.ie/en/guidance-landing/transfers-personal-data-ireland-uk-event-no-deal-brexit