GDPR: 6 Tips to Brexit-proof your data practices

The effect of the United Kingdom leaving the European Economic Area (EEA) is due to occur at the end of this year and on 1st January 2021, EU rules (including the General Data Protection Regulation) will no longer directly apply to the UK in the same way.

The UK’s departure from the EEA will affect not only UK-based businesses with suppliers, clients, customers or subsidiaries in the EEA, but also EEA businesses with the same in the UK.

In this article, we examine the best practice steps to put in place to “Brexit-proof” your business before 31 December 2020.  

Summary of practical steps to take now - before Brexit:

1.    Map your data flows and verify that data is minimised. 

2.    If you are based in the UK and routinely deal with data subjects in the EEA, appoint an EU representative.

3.    If you are based in the UK and routinely export or import personal data from the EEA, or vice versa, consider the safeguard to put in place between contracting parties. Often, this will be the Standard Contractual Clauses (SCCs). Have the current SCCs in place for now, but monitor the development of the new draft SCCs in case these need to be replaced. 

4.    Critically assess the safeguard you have chosen against the legal environment, and the essential guarantees you must provide to data subjects. Will the safeguard actually ensure that GDPR principles are followed, or is this simply impossible- for example, do national surveillance laws conflict with EU laws, and are they unavoidable? Consider if there are any supplementary measures you can put in place.

5.    If you deem that the safeguard is appropriate and you can mitigate the effects or national incompatible laws with supplementary measures, clearly document how you will do this. The two suggested methods are strong encryption, or pseudonymisation. 

6.    Continue to monitor any developments in the UK or EEA country, and constantly re-evaluate the effectiveness of the supplementary measures you have put in place. 

We hope that this guidance is useful to any companies looking to Brexit-proof before January. If you have any specific questions or would like assistance in preparing for Brexit, please don’t hesitate to contact us!

Article by Lily Morrison @ Gerrish Legal, November 2020

Previous
Previous

Beauty-Tech & Privacy: Covert surveillance of our daily routines?

Next
Next

Appointing an EU Representative: Guidance for UK Businesses after Brexit