Privacy and Data Protection
Transfer of personal data from Belgium (and other EEA countries) to the UK. Extra measures will need to be adopted to legally transfer this data
Before 30 March 2019, as a Belgian organization you should (1) identify the processing activities that involve personal data transfers from Belgium to the UK (e.g. HR outsourcing, IT or payroll functions of a UK-based organization; storing data in the UK on a server or in the cloud); (2) determine the appropriate data transfer mechanism, including standard contractual clauses (“SCCs”), which in the short term are likely to be relevant to most Belgian organizations that transfer personal data to the UK (other available mechanisms are ad hoc data protection clauses; binding corporate rules; codes of conduct and certification mechanisms; and derogations); (3) implement the chosen data transfer mechanism to be ready before 30 March 2019; and (4) update and review your privacy documentation (see below).
Transfer of personal data from the UK to Belgium (and any other EEA countries)
The data transfers will not be restricted. The UK government has confirmed that all EEA countries (including Belgium) will be considered as “adequate” for data transfers (see below).
GDPR and personal data of UK data subjects
There will most likely be continuity in terms of data protection laws. The UK government intends to bring the GDPR directly into UK law after Brexit, to sit alongside the UK Data Protection Act 2018. There are no substantive changes expected in terms of data protection laws (this could also be an important factor in securing an adequacy decision; see below).
The UK will no longer be a member of the EU; instead, it will become a third country
Organizations operating within countries with adequacy agreements enjoy uninterrupted flow of personal data with the EU (for example, the adequacy decision with Japan). But an assessment of adequacy can only take place once the UK has left the EU and it may take a while. Until an adequacy decision is in place, your organization will need to put in place alternative transfer mechanisms for transferring personal data from Belgium to the UK, such as SCCs (see above).
Appointment of a new UK representative
If your company is subject to the GDPR but neither established in the EEA (Belgium) nor in the UK, you may post-Brexit have to appoint two legal representatives (one in the EEA and one in the UK).
Designation of the lead supervisory authority (“LSA”) may need to be reviewed
Post-Brexit, if your Belgian organization’s main establishment is in the UK (the place where decisions about the purposes and means of personal data processing are taken), the Information Commissioner's Office may no longer be your LSA. You will have to assess which of the other data protection authorities (“DPAs”) is the most appropriate to be your LSA or leave cross-border processing activities subject to regulation by multiple DPAs.
Ensure your data protection officer (“DPO”) or privacy representative is aware of the key changes and they must ensure your company continues to comply
Your DPO or privacy expert needs to be aware of the ongoing importance of GDPR compliance, as well as specific implications for any European operations and data flows. He/she should have expert knowledge of both UK data protection law and the GDPR, and be “easily accessible” from both locations. Keeping up to date with the latest information and guidance is of paramount importance.