free webinar

GDPR after Brexit: What changes do you have to expect?

Join our free webinar to understand what changes Brexit brings for data protection regulations in Europe. UK data protection expert Rob Masson and international data protection officer Lisa Hofmann will talk about the effects of Brexit on the GDPR and how you need to prepare, whether you are a UK company dealing with European client data or a European company dealing with UK client data

What are you going to learn

  • Do you have to change where you store your data?
  • Which laws are changing? And will you have to comply with UK privacy laws and GDPR after Brexit?
  • When will you need to appoint an EU or UK representative?

Register now

Hosts

Rob Masson

Data Protection specialist and CEO at The DPO Centre Ltd

Experienced UK data protection specialist, helping clients navigate GDPR compliance in the face of Brexit.

Lisa Hofmann

Chief of Legal Operations & International DPO Pridatect.

Legal specialist and certified Data Protection Officer by TUEV (German institution for security-related services), broad experience in helping companies with their privacy compliance 

FAQs

Yes, you would need both. An EU and UK rep. This might change during the negotiations. But right now the scenario would be that we have two times Article 27 and therefore must appoint both. That representative would need to be established in a member state where you process the majority of the data. 

The GDPR does not state where a DPO must be located, it states that the DPO must be easily accessible from each establishment.

 

A UK DPO in a European company would be fine. The EADP has recommended that organisations processing data in both the UK and EU should appoint a DPO in the EU, however this is not a requirement of the regulation. Smaller organizations who have one DPO right now should be able to continue with one DPO.

 

If you do decide to move the location of your DPO, you must inform the lead or relevant Supervisory Authority(ies) of their contact details.

No, there should be no impact.  The “reasonable technical and organisational measures” expectation of Article 32 remains unchanged, as do the Individuals’ rights in terms of the right to be forgotten etc.  The Article 5 principles of the EU and the UK GDPR will remain the same, everything you are doing now under the EU GDPR, you should continue doing under the UK GDPR.

Currently all personal data moving from the EU/UK to the US is governed under the Privacy Shield framework agreed to by the EU and the US. The Privacy Shield is designed to ensure the free flow of personal data between the EU and US while at the same time obligating US companies to implement similar protections for EU’s residents’ data as that offered by the GDPR.

The EU/US Privacy Shield will still apply to the UK up until the end of the transition period (currently 31st of December 2020), therefore it is essentially business as usual until then. After this time, the UK has stated that it will recognise the Privacy Shield framework as adequate for UK to US personal data transfers.

 

From the end of the transition period however, US organisations certified under Privacy Shield will need to confirm they have extended their public commitment to state that their adherence to the Privacy Shield principles has been extended to include data received from the UK.  Therefore only a relatively simple update to the appropriate public facing privacy policy is required.  The required model language can be found here.

 

UK companies should confirm that Privacy Shield certified organisations that personal data is transferred to have made these updates and that they renew their certification annually

 

Entities that rely on Privacy Shield for transferring personal data from the UK should keep these requirements (and all other Privacy Shield requirements) in mind when reviewing their compliance materials for Privacy Shield recertification.

Yes, it is still allowed.  The scenario is no different to now for when those same employees are travelling to any other (non-adequate) country outside of the EU.  You would be expected to implement appropriate technical and organisational measures to safeguard the data being processed between you and the employee.

In order for the Article 3 extra territorial scope of the GDPR to apply, subjects need to be ‘resident’ in the EU.  This therefore also includes non-EU citizens who are living/resident in the EU.  If the subject you describe (whilst being an EU citizen) is resident in a non-EU country (as the UK will be), then the EU GDPR would not apply to that subject.  The UK GDPR would however apply.  If you are based in (say) Spain, but processing data on a UK resident (from Spain), then you would caught by the extra territorial scope of Article 3 from the UK GDPR.  

The ICO are not necessarily the only authority that can impose a penalty, as should an issue affect a large number of data subjects in a particular member state, then the authority in that state may require their involvement.  However the specific purpose of the one-stop-shop is to significantly reduce the need for more than one authority to be involved.  Remember that the ICO can no longer be your lead authority after the 31st of December 2020, so you will need to nominate a authority from the remaining 27 member states.