I was in Brussels last week attending Europe’s largest data protection conference.
At one session, Sir Ivan Rogers (the former Permanent Representative of the UK to the European Union until he resigned in January 2017) gave his views on Brexit.
I am probably one of the few people who would willingly attend a speech about Brexit and data protection. I do these things so my clients don’t have to!
What did he say?
I’ll skip the insights he gave into the current to’ing and fro’ing within the UK about the current exit deal.
He was very black-and-white about what will not happen.
In layman’s terms:
- Brexit will happen: The idea of a second referendum is a non-runner for a range of political and legislative reasons.
- It’s this deal or no deal: There is no likelihood of another deal being negotiated with the EU before March.
- The UK will leave the European club: Becoming a member of the EEA (European Economic Area) before the Brexit date is impossible.
- The UK will leave the ‘data protected’ club: Achieving an adequacy ruling before the Brexit date is impossible. The UK will no longer be regarded as a safe territory for personal data.
So, the choice is the deal negotiated between Theresa May and the EU, or no deal.
Theresa May’s deal will face a vote in the House of Commons on December 11th.
Right now, it looks like the vote will fail. It does not have enough votes to succeed.
If this happens and if there is no second attempt to get it accepted in the House of Commons, the most likely outcome at the end of March is that the UK will leave the EU without any deal.
What could a ‘No Deal Brexit’ mean for you?
From the end of March, a ‘No Deal Brexit’ means it may become illegal for you to send, store or process personal data of individuals (e.g. customers, employees, prospects) in the UK.
The only way to make it legal is to ensure there are specific measures in place to protect the data.
How does this look in practice?
Let’s say your Irish firm gets another organisation to do payroll processing. This firm runs your payroll each month, works out how much each of your staff should be paid and how much should be paid to the Revenue Commissioners.
For this payroll activity, your firm is a data controller and the payroll provider is a data processor.
Now let’s say this payroll provider performs some of these activities in the UK (for example, it stores the data in the UK).
This means you will have a problem with a ‘No Deal’ Brexit.
It is likely that you will need to add clauses into your contract with this payroll provider. These clauses are called ‘Model Contractual Clauses’ or ‘Standard Contractual Clauses’ (SCC’s).
SCC’s are one of the few mechanisms available to allow this data transfer to continue in the event of a No Deal Brexit.
(There are other safeguards, such as Binding Corporate Rules, but very few companies have these in place. Those that don’t won’t have time to put them in place by March. There are also some derogations available but they apply in very strict circumstances).
What should you do now?
Find out if personal data processed by your firm ever goes to the UK. For example, go through the list of your data processors (including your cloud-based system providers) to see where the data goes.
Where personal data does get transferred to the UK, start getting the legalities in place before the end of March.
[Updated on 4th December: A week is a long time in politics! The UK government could cancel or postpone its plans to leave the EU before the Brexit date arrives. However, will the Brexiteers allow this?]