Brexit will mean businesses have to make some changes to how they operate, and this is no different when it comes to the handling and protection of personal data.
Leaving the EU means that you will need to adapt the way you control this data and ensure that you meet new requirements. These changes must all be in place before we leave the EU on 1 January.
There are quite a few things to consider, so to help you, here is a checklist on what you need to think about and get ready.
Working with personal data from the EU
Identify a lead supervisory authority in the EU
- This authority should be in the country most of your EU data subjects live in.
- See if there are any additional requirements. Perhaps there are registration fees or requirements for extra information when it comes to your processing activities.
- Check their guidance on things such as data subject access requests, data protection impact assessments and personal data breach reporting. The guidance you get from your lead supervisory authority should always be your first port of call.
- Ensure that your processes are reviewed against this guidance – by doing this now, you will be equipped with evidence if a problem occurs later down the line.
Appoint an EU representative
- Make sure you have the right processes in place to support the EU representative. They will be the one who is contacted if there are any requests by the supervisory authority, so they will need to be equipped to respond to things such as data subject access requests.
- Tell the lead supervisory authority about your representative. EU GDPR says that you will need to notify them – check to see if this needs to be done in writing.
- Update your privacy notices.
- Update your privacy notices so that they identify who your lead supervisory authority and representative are. You should also provide their contact information.
- Make sure your privacy notices reflect all of your international transfers. Transfers made between the UK and EU will become international ones from 1 January, so you’ll need to provide information on how they will be secured.
Appoint a data protection officer
- A data protection officer isn’t always necessary, but you will definitely need one to abide by EU GDPR.
- Make sure there is a plan to overcome any language barriers. In an ideal world, your data protection officer will have fluency in the language of your supervisory authority as well as some local legal expertise. If not, you will need to provide resources to overcome this barrier.
- Ensure that the data protection officer is up to date on both UK and EU GDPR.
Update processing activities records
- Make sure your processing activities records are updated, particularly if you will be carrying out transfers between the UK and EU. UK GDPR will also require more information in the record.
Data protection impact assessments
Review your assessments
- Check your data protection impact assessments and ensure that any new risks are addressed. This is particularly important for international transfers.
The lawful basis of processing
Check the lawful basis of processing for activities that involve international transfers
Data adequacy is a status granted by the European Commission to countries that are outside of the European Economic Area. It means that this country’s personal data protection is comparable to that of European Law.
- After the transition period, the UK will not be able to benefit from a free flow of data. The UK’s adequacy assessment has a timescale with a suggested end date of December. If it is not granted by the end of the transition period, you will need to change your lawful basis for processing.
Contracts for international transfers
Review contracts to identify those that need standard contractual clauses
- Find those that need standard contractual clauses – this could include transfers back into the UK if you are using a supplier in the EU.
- Are these standard contractual clauses enough? You may need to apply some supporting clauses.
- Check that the practices laid out in current agreements meet these standard contractual clauses. The whole contract needs to support them, so you may need to renegotiate.
- Establish if a review of supplier relationship management processes is needed. Bear this in mind if you need to review a lot of contracts.
- Create a list of back-up suppliers. If your current suppliers can’t comply with the new requirements, you need to make sure you have other arrangements in place.