News 07.05.2019

NJORD Estonia: GDPR in the light of no-deal Brexit

GDPR entered into force on May 25, 2018. The Brexit saga is significantly older, but regardless of the preceding, the future is confusing for international and cross-border operating businesses.

Should we expect many changes from the point of view of the GDPR?

On the one hand, the UK was an EU member state during the development and enforcement of the GDPR and London has participated in drawing up the European data protection rules. Consequently, the UK has harmonized its national legislation from the EU data protection perspective. However, the similarity of the EU and UK data protection regulation shall not resolve all problems. All countries outside the EU are handled as “third countries” for the Member States, meaning that when transmitting data to the UK upon no-deal Brexit, Articles 44 and 45 of the General Data Protection Regulation (GDPR) shall apply.

The European Data Protection Board, as well as the UK’s relevant authority, have developed guidelines for the organisations for situations, where data needs to be transmitted to either side upon no-deal Brexit. One solution would be to use the standard data protection clauses adopted by the Commission or alternatively, other similar agreements.

Five steps to follow when transmitting or receiving data from the UK

Companies should already educate themselves on what the data processing procedure shall look like in the UK regarding the data originating from the EU.

Secondly, it is necessary to determine and apply the particularly suitable means of data transmission, considering the nature of the data to be transmitted and processed.

Do not overlook your internal rules of procedure and the data processing instructions. In practice, it is common that companies and organizations conclude agreements or arrangements between themselves for processing data, but the weakest link turns out to be their own employee, who has not been sufficiently instructed, or deficiencies of technical capacity occur.

Be sure to review and, if necessary, make changes to all kinds of privacy policies and personal data processing notifications, which are aimed at corporate customers and the public. If data transmission to the UK occurs after Brexit, it means that the data is transferred to a third country, and it must be known to the data subject.

In order to verify the necessity of making amendments in the rules of concluding agreements and processing personal data, companies need to carry out an audit, which gives a clear overview of the actual data processing and documents describing the processes.