Home / Insight / Brexit / Privacy and Data Protection

Privacy and Data Protection

Checklist

1.    Transfer of personal data from Belgium (and other EEA countries) to the UK. Extra measures will need to be adopted to legally transfer this data

As a Belgian organization you should (1) identify the processing activities that involve personal data transfers from Belgium to the UK (e.g. HR outsourcing, IT or payroll functions of a UK-based organization; storing data in the UK on a server or in the cloud) and understand the data flows with the UK; (2) determine the appropriate data transfer mechanism, such as standard contractual clauses (“SCCs”); binding corporate rules; codes of conduct and certification mechanisms; etc. ; (3) implement the chosen data transfer mechanism ; and (4) update and review your privacy documentation (see below).

2.     Is there any transition period?

Yes. Companies and other entities will enjoy a grace period until 31 December 2020. This means that for most (data protection) purposes the UK will continue to be treated as if it were a member of the European Economic Area (“EEA”). During this period, the UK and the EU will have to negotiate cross-border transfers of personal data. The GDPR will continue to apply in the UK throughout the transition period.

3.    Transfer of personal data from the UK to Belgium (and any other EEA countries)

Data transfers will not be restricted. The UK government has confirmed that all EEA countries (including Belgium) will be considered as “adequate” for data transfers (see below).

4.    GDPR and personal data of UK data subjects

There are no substantive changes expected in terms of data protection standards The UK government intends to bring the GDPR directly into UK law(as the “UK GDPR” - United Kingdom General Data Protection Rules) effective at the end of the transition period,, to sit alongside the UK Data Protection Act 2018. This latter Act is expected to supplement and modify the UK GDPR. For the UK this will most likely be a significant factor in securing an adequacy decision from the European Commission. see below).

5.    The UK will no longer be a member of the EU; instead, it will become a third country post the transition period 

Organizations operating within countries with adequacy agreements enjoy uninterrupted flow of personal data with the EU (see for example, the adequacy decision with Japan). It is however not clear whether the European Commission will decide that ensures an “adequate level of data protection.”

Until an adequacy decision is in place (if any), your organization will need to put alternative transfer mechanisms in place for transferring personal data from Belgium to the UK, such as for example binding corporate rules or SCCs.

6. Are standard contractual clauses (SCCs) still a valid mechanism for data transfers?

Pending the decision of the Court of Justice of the European Union (CJEU) decision, the SCCs continue to be a valid ground for transferring data internationally. In his recent Opinion, Advocate-General Henrik Saugmandsgaard Øe (in Case C-311/18, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems) stated that he saw no grounds for invalidating SCCs. Although the CJEU is not bound by the AG's opinion, we think it is unlikely the CJEU would depart from it. 

7.    Review your privacy information and your documentation (such as your privacy policy, record of processing activities, data breach response plan, DPIAs, etc.) to identify any items that will need to be updated

In particular, you will need to review the international transfer provisions in your privacy policy and record of processing and make sure they include details of transfers to the UK. You may also need to update who you need to notify in the event of a data breach or an incident notification under the Network Information Systems laws. You may also need to review existing DPIAs when they involve any data transfers between Belgium and the UK.

8.    Appointment of a new UK representative

If your company is subject to the GDPR but is neither established in the EEA (Belgium) nor in the UK, you may have to appoint two legal representatives (one in the EEA and one in the UK).

9.    Designation of the lead supervisory authority (“LSA”) may need to be reviewed

Post-transition period, if your Belgian organization’s main establishment is in the UK (the place where decisions about the purposes and means of personal data processing are taken), the Information Commissioner's Office may no longer be your LSA. You will have to assess which of the other data protection authorities (“DPAs”) is the most appropriate to be your LSA or leave cross-border processing activities subject to regulation by multiple DPAs.

10.    Ensure your data protection officer (“DPO”) or privacy representative is aware of the key changes and they must ensure your company continues to comply

Your DPO or privacy expert needs to be aware of the ongoing importance of GDPR compliance, as well as specific implications for any European operations and data flows. He/she should have expert knowledge of both UK data protection law and the GDPR, and be “easily accessible” from both locations. Keeping up to date with the latest information and guidance is of paramount importance.

Back to Brexit