Interim data deal and Brexit: What CISOs need to know now the UK has left the EU

The UK has left the European Union (EU) and an interim agreement regarding data protection has been agreed upon. As a result, data flows between the UK and EU can continue freely as they did before, and organisations can operate as normal for a period.

However, the agreement between the UK and EU has a limited shelf life and it’s not clear what could happen afterwards, leaving UK firms in a potential state of flux over how to properly prepare for the long term.

What does the Trade and Cooperation Agreement mean for data protection?

The Trade and Cooperation Agreement (TCA) between the UK and EU states that the UK shall not be treated as a third country for an interim “bridging” period of four months starting from January 1, 2021, and will be automatically extended to six months unless either the UK or the EU unilaterally objects.

During the interim period UK companies can continue to send data to and from the EU without additional measures in place. The UK will not change existing data protection laws during this time. During this period, the European Commission will decide whether it views the UK as “essentially equivalent” on issues such as data protection as the EU and therefore whether data flows can continue without restriction. However, an adequacy decision is not guaranteed, and more restrictions may come into force later in the year.“

In a nutshell, this means that any UK company holding EU citizen data must ensure it is protected and stored correctly to EU Standards in order to comply,” says Gareth Williams, vice president for secure communications and information systems at Thales UK. “To do this, CISOs should first prioritise investment in encryption to protect the data at rest and in transit. Not only that, but the control over the data must reside within the EEA itself, as the EU dictates.”

The temporary nature of the deal means UK CISOs and data protection officers (DPOs) are in a precarious position going forward. Putting in legal mechanisms to ensure data flows are compliant in the event the UK isn’t granted adequacy is expensive and time consuming and may not be needed, yet failure to make any preparations could lead to large fines further down the road if those preparations aren’t made and a decision isn’t granted.

“Moving to standard contractual clauses (SCCs) is a good precautionary measure for some organisations” says Jimmy Desai, GDPR and commercial solicitor at Keystone Law, “although for some organisations this may involve an extensive exercise, which may prove to be wasted time, cost, and effort if the UK is ultimately assessed as adequate.”

While UK firms are free to continue receiving data from the EU freely during the interim period, the ICO has said UK companies receiving data from the EU should put alternative transfer mechanisms in place “as a sensible precaution” to safeguard against any potential interruptions in the future.

Which data laws still apply in the UK post-Brexit?

While the EU’s GDPR will no longer apply to UK citizen data, the UK’s Data Protection Act 2018 is still in force, as is the UK’s own version of GDPR. As such, UK firms will need to ensure they are protecting personal data collected in the UK, respecting privacy, gaining consent, and processing personal data carefully. EU citizen data gathered and housed in the UK is still subject to the EU’s GDPR requirements should be protected as such. Companies that are classed as critical national infrastructure are also subject to the NIS Regulation.

The Privacy and Electronic Communications Regulations—the UK’s implementation of the EU e-Privacy Directive—will also still apply. As such, very little will change in terms of day-to-day data protection requirements, and UK firms will need to ensure they are compliant with almost all the same data protection requirements for UK data as they were in 2020. The EU’s eIDAS regulation will no longer apply, but the UK Government is reportedly looking to bring eIDAS or something very close to it into UK law very soon.

These rules may change in the future. The UK has said it plans to retain a strong data protection regime after it leaves the EU but has also have it may well diverge from the current EU positions on certain aspects. CISOs, DPOs and organisations’ legal teams will have to stay alert for any changes.

Sending data from the EU to the UK

With the interim agreement in place, UK organisations can receive EU citizen data in the same manner as they did during Union membership or during the transition period. However, CISOs and DPOs will need to be alert to news coming from the ICO and the EU on what happens after that interim period ends.

If the EU rules the UK is adequate or there is a further nothing will need to change. If a permanent data protection deal or adequacy decision isn’t struck by the end of the interim period, the UK will be classed as a “third country” by the EU. This means UK organisations cannot receive EU citizen data in the same manner as they did during Union membership or during the transition period.

Firms receiving EU citizen data should ensure they have the right legal mechanisms in place to ensure compliance with the EU’s GDPR. The most straightforward route is through SCCs, which are templated agreements between the parties sending and receiving the data. Under SCCs, EU citizen data should expect the same level of protection as it would receive from a company directly under the purview of the GDPR. An SCC is required for each individual data flow.

Binding corporate rules (BCRs) are more flexible than SCCs but are a lengthy and costly route that requires direct involvement from data protection authorities in the EU. BCRs will likely only be appealing and feasible to large enterprises with a large footprint across the UK and EU. Some companies may wish to reassess their data flows and reduce the amount of data they send to the UK or move their headquarters/data processing from the UK to the mainland to avoid some of the legal hurdles.

“Organisations should focus on understanding their data flows, assessing the risk associated with them and implementing safeguards, like pseudonymisation, to manage that risk,” says Marcus Grazette, Europe policy lead at Privitar. “Because the GDPR has been retained in UK law, practitioners (DPOs, CISOs etc.) should not see any immediate change whether we’re in a deal or a no deal scenario.”

UK firms receiving EU citizen data should also ensure they have a representative in the EU as required under the GDPR to deal with data protection authorities.A permanent trade deal or adequacy decision may be made later which would remove some of these requirements, but whether that might happen is unclear.

Sending data from the UK to the EU

Data flows from the UK into Europe will remain unaffected. The UK has deemed the EU’s data protection regime as adequate and companies will still be able to send data without interruption. EU firms will have to appoint a UK representative to deal with the ICO as required.

“Much as the EU GDPR is extraterritorial, the UK version will be as well,” says Steve Kuncewicz, data protection and privacy law expert at law firm BLM. “Given that both regimes share a common approach, we’ll likely see a growth in the appointment of ‘UK Representatives’ and the revisiting of contracts and policies to refer to the new legislation. Again, adequacy seems a long way off for the time being, but there’s a lot that businesses can be doing to fill that gap.”

Sending data from the UK to the US

After the fall of Privacy Shield, companies sending data from the UK to the US should, as is the case with data coming from Europe, be relying on the likes of SCCs and BCRS as legal transfer mechanisms for data. Data sent to the US should have a similar level of data protection as it would receive in the UK. US firms receiving UK citizen data will need to appoint a UK representative under the UK GDPR as they do in Europe under the EU GDPR to deal with data protection authorities.

Kuncewicz says that while the Shrems II case ensures SCCs to the US remain in place, there is a greater focus on the exporter to map data flows and identifying the additional safeguard upon which they’ll rely upon to ensure the data is adequately protected. A new Privacy-Shield arrangement may be agreed in the future, but it is unclear when this might be.

Sending data from the US to the UK

Data flows from the US into the UK remain unaffected.

Existing adequacy decisions

The UK intends to conduct its own adequacy decisions in future, but will continue to honour EU adequacy decisions with the following countries:

• Andorra
• Argentina
• Guernsey
• Isle of Man
• Israel
• Jersey
• New Zealand
• Switzerland
• Uruguay
• Japan

Canada has a partial adequacy decision. Sending data to countries not covered by an adequacy decision should be protected through SSCs, BRCs, or similar legal mechanism to ensure adequate data protection is enforced. The IAPP has published a Brexit privacy checklist which will help organisations understand key tasks and checks they should make to ensure compliance with UK and EU requirements.