Data, GDPR and your agency after the end of the Brexit transition period

The Brexit transition period ends on 31 December 2020. That means that from the 1 January 2021, the UK's relationship with Europe changes, and that has serious consequence for all agencies in the UK, especially those with connections outside the UK.

We've written a detailed Board Briefing on all the aspects of the end of the transition period that will affect agencies.

The briefing covers lots of things:

• A summary of the status quo, including:
  • What is known on the state of trade negotiations between the UK and EU;
  • Existing trade deals via the EU that will roll over after the end of the transition period
  • New trade deals with other nations or trading blocks since leaving the EU.
  • Mutual recognition agreements, in lieu of trade deals.
• A discussion of the issues at stake for agencies, covering:
  • Access to Europe, for markets, travel, shipping, etc.;
  • Legal and regulatory matters;
  • The impact of Brexit on services;
  • Contracts and legal issues for agencies;
  • Currency risks;
  • Data protection and data privacy after the end of the transition period;
  • People, whether staff, clients or suppliers.
• A thorough review of the impacts on agencies:
  • Deal or no deal, what does it mean?
  • Practical implications
  • The mitigation options

This blog is an excerpt from the full Board Briefing paper. It outlines one aspect in particular — what impact is there on data after the end of the transition period?

Data protection and data privacy after the end of the transition period

The issues for data from 1 January 2021 mainly relate to the General Data Protection Regulation (GDPR).

The background

GDPR provides a legislative and regulatory framework for two things in relation to data:

1. GDPR allows for the flow of private data between EU member states.
2. GDPR allows for the flow of private data between the EU and third countries.

Board Briefing: What the end of the Brexit transition period means for agencies

Once a month we publish a detailed briefing for subscribers to guide in-depthdiscussions at board meetings. This is designed to bring the kind of thinking,analysis and viewpoint to your agency board meetings that you’d expect from anexperienced non-exec, but at a fraction of the cost. If just one…

Agency RadarDr Joe Baker

After 31 December 2020

After the end of the transition period, the UK becomes the second of these, a third country.

The EU has already said that UK data can flow into the EU without anything further needing to be done.

The issues with data protection arise for EU data flowing into the UK. Matters here are substantially more complicated than they first appear.

The superficial assumption for data and the UK’s relationship with Europe after the end of the transition period is that it would be simple — we’ve implemented GDPR, we will enshrine that in UK law post-Brexit, the UK will become a third country and everything will carry on as before.

It isn’t.

Rules for third countries are substantially more strict and exacting.

The issue for third countries is not just about whether GDPR has been implemented sufficiently.

It also incorporates a consideration of all of the third country’s legislative framework, comprehensively, taken in their entirety, to understand whether EU citizens will experience the same level of protection for their private data as they would within the EU.

What this means in the UK

This is a particular issue in the UK because we have the Investigatory Powers Act (2016), often known as ‘the snoopers charter’.

Many EU member states, and the EU Commission in particular, have already ruled that this Act is incompatible with EU law, allowing for private and personal data to be handled and accessed in a manner with which they are not content.

The UK needs an EU ‘adequacy decision’ on its data protection regulations for this issue to be dealt with, but it is unclear whether this will happen, especially whether it will happen by 1 January 2021.

Without a trade deal, it is even more unlikely for the UK to receive an adequacy decision by 1 January 2021 as the EU has wrapped many things together into one negotiation.

How we thought we would deal with this

The UK had intended to respond to this by using the EU–US Privacy Shield scheme as a precedent.

However, that fell apart in July with the Schrems II decision of the European Court of Justice, which struck down Privacy Shield, ruling that personal data transferred to and stored in the US could not be guaranteed an adequate level of data protection as that under GDPR.

What this means for agencies

This matters for agencies.

• Penalties for contravention of GDPR are substantial — up to 4% of global turnover. You will need to consider what you need to do to respond.
• Without (a) an adequacy ruling, or (b) a stand-in UK–EU equivalent to Privacy Shield, there is no way under UK law for data to lawfully flow from the EU to the UK.

For data to continue to flow from the EU to the UK lawfully, UK businesses must respond themselves.

UK businesses will need to include either 'standard contract clauses’ (usually for small to medium-sized businesses) or ‘binding corporate rules’ (usually for large businesses) in their contracts to cover data protection and privacy.

Fortunately, the Information Commissioner’s Office (ICO) has a lot of supporting materials for UK businesses to maintain the flow of data between the UK and the EU after the end of the transition period.

Here is where you can go to find the items your agency needs to respond to the data protection issues that arise from the end of the Brexit transition period:

• ICO General guidance on Data Protection at the end of the transition period.
• ICO interactive guide for Standard Contract Clauses (SCCs) to keep data flowing from the EEA to the UK, including cut-and-paste clauses you can include in your contracts.
• ICO support for Binding Corporate Rules (BCRs).
• ICO guidance on international transfers of data.

Knock-on effects

There are a number of potential trickle-down effects for agencies that arise from the way that their digital suppliers — services, platforms and products on which agencies rely to provide their own services — respond to the end of the transition period.

Agencies working in the digital sector may rely on large global suppliers for some of their platforms and data storage, such as Amazon AWS or Google Cloud.

A number of these suppliers are already moving their data storage for UK accounts out of Europe and, for instance, to the US data storage centres.

This may increase the difficulties for UK agencies with digital service offerings or products to comply with GDPR requirements.

This blog is an excerpt from the full Briefing Paper on what the end of the Brexit transition period means for agencies in the UK. Subscribe to Agency Radar for access to the full paper.

Board Briefing: What the end of the Brexit transition period means for agencies

Once a month we publish a detailed briefing for subscribers to guide in-depthdiscussions at board meetings. This is designed to bring the kind of thinking,analysis and viewpoint to your agency board meetings that you’d expect from anexperienced non-exec, but at a fraction of the cost. If just one…

Agency RadarDr Joe Baker

Photo by Clay Banks on Unsplash

More Board Briefings for you:

Board Briefing: The Pandemic in 2021

Once a month we publish a detailed briefing for subscribers to guide in-depthdiscussions at board meetings. This is designed to bring the kind of thinking,analysis and viewpoint to your agency board meetings that you’d expect from anexperienced non-exec, but at a fraction of the cost. If just on…

Agency RadarSteve Parks