As the prospect of the UK crashing out of the European Union looms large, little attention has been paid to the issue of data transfer between the UK and Europe. the last substantive guidance issued by the UK government was in February 2019. This is an important issue that businesses ignore at their peril.
Dr. Thomas Otter, in an advisory note entitled Brexit, dropping HR IT in it, said:
If I were the head of HR of any organization with dealings with the UK, I would be asking for a plan from IT for HR systems under a no-deal Brexit on my desk by the end of this week. I’d demand a statement from all the vendors the organization works with about their plans for Brexit.
If you have staff in the UK providing support on your EU systems, you will need to make sure they can. You may well need to draw up contracts between subsidiaries and head office, so your lawyers had better get on it.
Vendors had at least 2 years to prepare for GDPR, and many still don’t really have their act in order. A no-deal Brexit would create a whole new level of disruption. Vendors that host and support the EU from the UK will need a plan quickly, but this will impact pretty much every HRTECH vendor doing business in the UK. For US vendors that rely on the Data Shield, at a minimum you will need to update your policies to account for Brexit (see ICO guide).
While the obvious image of a no-deal Brexit is queues at the port of Dover, Port 80 is going to be a whole lot messier. I’m thinking of a red bus metaphor, but give me a while…
Following up on this, I asked Dr. Otter to give me a 1,2,3 action list on this topic. He gave me six in a Tweeted message:
- Provide an inventory of all applications processing people data. Should be done for Article 30 of GDPR. See also BS 10012:2017
- Assess risk under GDPR. (Article 32, 35)
- Assess additional risk under hard Brexit, as now most systems will be restricted transfer, so will need “appropriate safeguards”....
- Demand statement from all vendors on their prep for hard Brexit.
- Seek clarity from legal counsel on the state of adequacy decision (See statements from Buttarelli EU DP dude on this)
- Hope something sensible happens between now and Oct 31.
I then had a back and forth with Dr. Karen McCullagh, one of the leading academic experts in the field who has curated a selection of documents and reports on the topic. Dr. McCullagh is concerned about the UK's preparedness for a no-deal Brexit. She says:
- The UK will become a 3rd country if we leave on 31st Oct with no deal in place.
- If we do that there will not be an adequacy decision in place. (the withdrawal agreement that had been negotiated by Theresa May provided for transitional arrangements and agreement that an adequacy decision would be sought and prioritised during the transition period). Given that the withdrawal agreement is 'dead' leaving with no deal means that the UK will not necessarily be prioritised if/when it seeks an adequacy decision.
- An adequacy decision is the most suitable mechanism given the large volume of data transfers between the EU and UK.
- An alternative (but less ideal) mechanisms could be used. One such option for large multinational companies is to use Binding Corporate Rules (BCRs). However, the sticking point with these is that they have to be reviewed by a national DPA (and circulated to other DPAs for commentary/revision) before final approval by the EDPB. The UK ICO could no longer approve BCRs and any previously approved BCRs would have to be submitted afresh to a MS DPA....time consuming, and expensive.
In answer to the question - does a no-deal Brexit mean that technically, the UK would be in breach of EU data transfer regulations, she reiterated something Dr. Ottter told me that it is "frustratingly complicated."
If a UK based company had BCRs approved by an MS DPA e.g. in Spain then they could use these to lawfully effectuate EU-UK personal data transfers in the event of a no-deal situation. My advice/the advice of ICO, UK gov't etc. is that most UK businesses should seek to rely on Standard Contractual Clauses i.e. pre-approved clauses. Great if you're a large company capable of revising contracts to include these clauses...not so great if a small/start-up entity.
The problem, of course, is timing. While reliance on SCC might be fine for large companies, it is doubtful whether small firms and startups will have the legal budget required to put measures in place by the time October 31st swings around. Note what Dr. Otter says about GDPR and how well that's gone.
It may not be fashionable to take academics seriously but in this case, we're talking about laws that cannot be skirted or walked around with any degree of certainty.
Some advisors have basically said - don't worry, it's business as usual. But given the fractious state of relations between the EU and the UK, it would be foolish to make any assumptions about this topic. And that's all before we get to thinking about data security and privacy at a more general level.