Companies have been so preoccupied with the challenges presented by Covid-19 – delivering remote working overnight, getting people back into offices safely and securely, and potential job insecurities – that they have been distracted from Brexit. But with less than two months to go until the transition period ends on 31 December 2020, businesses find themselves with a series of data protection, privacy and governance challenges to overcome.
Even without Brexit, the data governance landscape has its challenges, and best practices still apply. However far along organisations are on their data protection journey, the UK preparing to leave the EU is an opportunity to take some key actions before the transition period ends to not get caught out.
Here are some of the considerations around data protection risks that organisations may not – but should – be prepared for before the turn of the year.
The movement of personal data between different locations is a crucial area for companies to consider. They need a clear view of the logistics around data transactions, where they store it and the rules and regulations as a result, especially (but not exclusively) how they interact with their customer base.
Transfers from the UK to other countries can continue under existing arrangements, at least for the time being. But companies in the EU need to be ready with answers to a range of data sharing and storage scenarios. Broadly these questions cover three key areas: Where can I store my data? Which countries can view my data? In which countries can I process the data?
Depending on the answers, organisations might need to consider technology solutions that provide the right level of governance and support concepts such as anonymisation or obfuscation (removing data) to enable them to continue to manage operations and performance.
Whichever applies, it is likely that businesses will need to update their documentation and privacy notice to expressly cover any resulting data transfers and formulate a communication plan to notify data subjects about updated privacy notices.
Think about your ecosystem
Companies must also consider their data ecosystem as part of their governance strategy. Engaging with third party organisations that form part of their supply chain is paramount so that transparency on data transactions is prevalent and compliance is adhered across jurisdictions.
Once again, responsibility expands beyond the processing one performs and so the same questions over sharing, viewing and processing data apply. Do a company’s contacts fall within the European Commission adequacy provisions or provide it with the safeguards it needs? Further, how is the company getting confidence around its compliance with those safeguards? Whether companies are using standard contractual clauses or more specific terms and conditions, these need to be right.
If the business is receiving personal data from a country, territory or sector covered by a European Commission adequacy decision, transparency extends to knowing how the sender of the data will comply with its local laws on international transfers.
GDPR, PECR and other compliance initiatives
The interaction between key EU legislation – the General Data Protection Regulation (GDPR), the Privacy and Electronic Communications Regulations (PECR), the eCommerce directive – and Brexit will introduce some complications that need to be considered before the end of the year.
These include the appointment of a representative in the EU, identification of an EU Supervisory Authority (SA) as a lead authority, arrangements for a new EU-based Binding Corporate Rules Lead SA or accessibility of UK-based Data Protection Officer (DPO) to all data subjects in the EU. In addition, there is also the possibility that multi-jurisdictional fines will be imposed on material breaches of UK and EU data.
Organisations must take stock of the personal data they hold to distinguish between data acquired before the end of transition period and after in order to comply with EU data protection law or data protection provisions of a withdrawal agreement as the case may be.
While other compliance initiatives – such as PECR rules – will continue to apply the eCommerce Directive will no longer apply to the UK at the end of the transition period, hence organisations may have to ensure that they are compliant with relevant requirements in each EU country they operate in. Businesses need to be clear on about how they manage their compliance programme going forward especially as the UK and Europe have a two-tiered system in place.
Fundamentally, it remains vital that companies have the information they need to track where their data assets are and how data moves into, around and out of the organisation. GDPR provides the framework for businesses to manage this and making sure that it is working well and understood by staff will be key.
Opportunity to reflect
On top of the regulatory requirements and the immediate response to Brexit, now is also an opportunity for businesses to reflect on the data they collect, consider what exactly it is used for, conduct early awareness training on Brexit implications for key functions to keep them abreast of the potential changes and decide whether to invest in technology to analyse it properly. For example, there are tools to anonymise data collected and perform analysis, while preserving anonymity of the individuals.
Brexit should not be about businesses stopping what they were previously doing, but ensuring that proper care is taken to meet the changed requirements.
Ultimately, Brexit doesn’t change our responsibility for protecting individuals’ data, and it remains a fundamental and integral part of how the UK does business. What it does do is change the mechanisms we have previously relied on and perhaps requires businesses to have clear sight and understanding of what they are doing with their data.
The regulatory environment in the EU is also changing. The recent European Court of Justice ruling on Schrems II struck down the EU-US Privacy Shield agreement and called into question some elements of standard contractual clauses. DG Justice, the branch of the European Commission responsible, has recently launched a consultation into how companies use standard contractual clauses in response to the ruling. Companies should be alive to future changes to the regulatory environment governing data protection.
The regulator is only going to get more focused and therefore the world we live in today will be a far more regulated environment so that the UK continues to be competitive and protect consumer data.
Paul Smith is associate partner in risk advisory at EY UK&I; Krittika Singh is senior consultant in risk advisory at EY UK&I.