First the good news. Scotland has an enviably successful digital economy, one that offers unprecedented access to companies in all sectors and of all sizes to worldwide opportunities. And unconstrained by most of the challenges posed by a No-Deal Brexit, with its predictions of overflowing lorry parks outside ferry ports, punitive tariffs and their impact on the manufacturing, food and agriculture sectors.
However, multinational companies, financial services organisations and even online Hebridean suppliers of organic produce rely on and share a vital commodity – data. Most thought they were sufficiently up to speed with the current legislation surrounding this by complying with GDPR (the General Data Protection Regulation), which requires every business to protect the personal data and privacy of EU citizens for transactions occurring within EU member states.
That landscape is set to change dramatically. When Parliament was prorogued earlier this week the BBC’s political editor Laura Kuenssberg suggested that the chances of a favourable deal with Europe being achieved ranged “somewhere between slim and negligible”.
Which is why Martin Sloan, a partner at Brodies LLP and a member of its Technology, Information and Outsourcing Group, believes that it is crucial to take decisions and make provisions – now. “Immigration, trade and customs have all been high on the agenda but there remains a lack of awareness about data protection,” he says. “And while we are certainly being asked about the possible consequences of the result of no-deal, the levels of enquiry are not quite what might be expected.”
The introduction of additional layers of legislation will render things opaque for many people whose main aim is to run a profitable business – and who have already and assiduously done their homework to comply with GDPR.
Sloan’s aim is to introduce some clarity, explaining the key issues arising out of the change in status after the UK’s exit from the EU and those which will be made in data protection law immediately before exit day. “Currently, GDPR is EU regulation and applies automatically in each member state. In addition, we had the UK Data Protection Act 2018, which supplements GDPR with some of the laws necessary to give it effect. For example, how the ICO (Information Commissioner’s Office) operates and its powers to issue fines, on top of dealing with the areas of GDPR where member states have discretion,” he says.
What will happen upon Brexit – either if the UK is leaves without a deal or at the end of the transition period – he explains, GDPR will become part of UK domestic law and as of exit date will be copied and pasted into UK national law as it stands.
Earlier this year, he adds, a statutory instrument was passed which set out amendments both to the Data Protection Act 2018 and to what will become “UK GDPR”, as European GDPR contains aspects that will not make sense when the UK is no longer part of the EU. For example, references to the European Commission’s powers, including rules that apply to the transfer of personal data outside the European Economic Area (EEA – which includes all EU countries and also Iceland, Liechtenstein and Norway).
“Within the EEA you can transfer information to any other member state but if you want to transfer personal data to, say, the US, Australia or Singapore you can only do that according to the regime which limits transfers outside the EEA.
“So dividing GDPR into UK GDPR and EEA GDPR means that upon exit day these same rules will apply to any transfers outside that area and will also apply to transfers to the UK, which will no longer be part of the EEA unless there is a deal.”
So, what are the practical consequences?
Sloan explains: “A multinational business in Scotland with a subsidiary in France or Germany with which it shares personal data, will have to ensure that the transfer is lawful.
“That might mean putting in place the EU’s Standard Contractual Clauses between the relevant legal entities in the UK and the EU or seeking approval from the regulators for Binding Corporate Rules within a corporate group.”
The latter, he says, take a long time to set up and are costly. “It is unrealistic at this stage for many companies to do that unless they have already started the process,” he says. Which, of course, underpins the imperative of starting to plan for the process now.
While Standard Contractual Clauses are more straightforward, organisations will still need to spend time (and money) identifying data transfers and putting in place Standard Contractual Clauses. They will also need to ensure that they can identify what personal data is subject to what regulatory regime.
While the UK government has said it considers that the EU offers an adequate standard of data protection, transferring data from the UK to somewhere else in the EU means additional measures don’t have to be taken; the issue however is in relation to transfers in the other direction.
“The EU has a very strict process for approving the adequacy of a third country that, says Sloan, looks beyond GDPR itself to situations that include the rights of intelligence services and law enforcement agencies to intercept and access data. He alludes to the “safe harbour” scheme that was designed to allow the transfer of European citizen’s data to the US by allowing companies such as Facebook to self-certify that they would protect EU citizens’ data.
Safe Harbor was ruled invalid by the European Court of Justice as it did not provide sufficient protection against access to personal data by US law enforcement agencies. There are other potentially significant changes: a company no longer part of the EEA offering goods or services to individuals within the EU will have to appoint someone in the EU to be its representative for the purposes of GDPR; conversely, a business in France or Germany offering goods or services to someone in the UK about whom it holds data will have to appoint a representative in the UK.
That, says Sloan, means that an IT company in Scotland trying to sell services to the EU –perhaps in website hosting – might find that potential customers decide that it’s just too difficult to buy services from a company in the UK because of the additional administrative and legislative inconvenience.
“There is certainly a concern over the perception that businesses in France or Germany might just decide not to shortlist a Scottish or UK company because the data protection aspect might make it prohibitively complex,” he says. Such businesses should think about what they can do to head off those concerns.
The key issues for any company, he stresses, is to understand how the data within a company or organisation is stored, processed and shared. “For many of them, a lot of this will have been achieved as part of the preparation for GDPR – but people then were focusing more on transfers with countries outside the EU. With the imminent changes to the UK’s status within the EU – and especially if it involves a no-deal Brexit – the time to prepare is now.
Cover all the bases with a no-deal Brexit action plan.
If your organisation only processes personal data in the UK and only in relation to individuals in the UK, then it is unlikely that you will need to take any action in the short term.
Others will not be so lucky and so should carry out an audit in order to identify what processing might continue to be governed by EU data protection law. This will also determine what actions you might need to take to prepare for a no-deal Brexit.
UK organisations will continue to be subject to GDPR where they process personal data in connection with the offering of goods or services to individuals in the EU, or the monitoring of their behaviour.
That might apply where the organisation provides goods or services directly, or where it provides back-office services to another organisation. Here are some things to consider:
- Have you identified what processing will be covered by UK law and what processing will continue to be covered
- by GDPR? Will any activities be covered by both UK law and GDPR?
- If your organisation will continue to be subject to GDPR, have you identified who you will appoint as a representative in the EEA? Can you appoint a local subsidiary or will you need to appoint a third party?
- Do any of your EU group companies need to appoint a representative in the UK?
- If your organisation operates EU-wide, and you have nominated the UK’s Information Commissioner as your lead supervisory authority, who will be the new lead supervisory authority for EU entities post Brexit?
- How will you keep appropriate records? What changes do you need to make to your register of processing activities, privacy notices and internal policies and procedures to reflect the different regulatory regimes?
- If you process personal data on behalf of an organisation in the EEA, or otherwise receive personal data from an organisation in the EEA, have you identified what you need to do to ensure that transfer will continue to be lawful?
- If you have a service provider relying on Privacy Shield for transfers to the US, has it taken appropriate steps to ensure that the transfer will continue to be lawful?
- Have you reviewed and updated your contracts with suppliers and service providers? Will references to “GDPR” and the “EEA” or “EU” still make sense post-Brexit?
Implementing these steps will take time. Organisations can get on the front foot by assessing the potential impact now and creating a plan for what they need to prepare for in the case of a no-deal Brexit.
For more information please visit www.brodies.com
Why are you making commenting on The Herald only available to subscribers?
It should have been a safe space for informed debate, somewhere for readers to discuss issues around the biggest stories of the day, but all too often the below the line comments on most websites have become bogged down by off-topic discussions and abuse.
heraldscotland.com is tackling this problem by allowing only subscribers to comment.
We are doing this to improve the experience for our loyal readers and we believe it will reduce the ability of trolls and troublemakers, who occasionally find their way onto our site, to abuse our journalists and readers. We also hope it will help the comments section fulfil its promise as a part of Scotland's conversation with itself.
We are lucky at The Herald. We are read by an informed, educated readership who can add their knowledge and insights to our stories.
That is invaluable.
We are making the subscriber-only change to support our valued readers, who tell us they don't want the site cluttered up with irrelevant comments, untruths and abuse.
In the past, the journalist’s job was to collect and distribute information to the audience. Technology means that readers can shape a discussion. We look forward to hearing from you on heraldscotland.com
Comments & Moderation
Readers’ comments: You are personally liable for the content of any comments you upload to this website, so please act responsibly. We do not pre-moderate or monitor readers’ comments appearing on our websites, but we do post-moderate in response to complaints we receive or otherwise when a potential problem comes to our attention. You can make a complaint by using the ‘report this post’ link . We may then apply our discretion under the user terms to amend or delete comments.
Post moderation is undertaken full-time 9am-6pm on weekdays, and on a part-time basis outwith those hours.
Read the rules here