By Remy Wilders
Yet another Brexit article but this may be good news or at least reassuring, GDPR wise, for companies established in the UK.
The question is: what does a UK company need to do, post Brexit, regarding the GDPR? Answer: Very little, but this “very little” is essential.
The first important point to keep in mind is that the UK government intends to maintain the GDPR principles within its own privacy law enforced by the Information Commissioner’s Office (ICO). The Brexit will therefore have no impact in that regards. Hence companies which do not interact with the rest of Europe will still need to comply.
What about all the other companies, those which do business or simply have sites browsed by European residents of the 27 other countries? Well, the Brexit won’t be too bumpy in fact, on the contrary it should turn out to be quite smooth as there are simply a couple of formalities to see to.
Just to be quite clear, any company which has not yet taken the compliance path towards GDPR still needs to do so and that can be tedious. The “simple formalities” concern the companies which were GDPR compliant up until the Brexit.
The first point regards companies which are subcontractors, partners or controllers (meaning you have subcontractors) for third party companies based in the rest of Europe. Britain, having no GDPR deal, is now considered as a “third country”. This impacts the transfer of data to and from Europe as there are, according to the GDPR, three sets of countries. The first set are the countries within the European Economic Area (EEA), the second group are the countries which have signed an agreement with Europe after imposing sufficient privacy laws within their borders. These countries are called “adequate”. Finally, all the other countries are considered “third countries”.
Doing business with “third countries” requires specific GDPR terms which need to be added in the contracts.
The good news is that the UK companies don’t have anything to do because this obligation applies to the European companies. You simply need to know that you will probably be asked to sign a new version of the contract or at least a Data Transfer Agreement (DTA). Given the fact that these clauses are simply requiring that the UK company complies with the GDPR obligations it should have no organizational impact.
The second subject which needs to be addressed regards the GDPR article 27: “Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the Union.”
This means that the UK company will now need have an official representative in one of the other European countries. There are many companies offering to take on this responsibility. Their role will be to represent the UK company within Europe which, by the way, means that the UK company maintains an official presence in Europe. Complying with article 27 is mandatory but needs not be very expensive and can be set up on line.
And that’s it. A couple of formalities and UK companies will be back to Business as Usual.
Any GDPR compliant company in the UK has therefore very little to do to remain so. For companies which haven’t yet made the move for becoming GDPR compliant, it is worth noting that some Representatives can also help with becoming compliant whilst providing all the relevant material and advice (EUDPR, for instance, offer a free coaching service in this regards).
So UK companies have nothing to fear from the Brexit… regarding the GDPR.
— EUDPR (@SeamlessGDPR) March 10, 2019