Brexit, your business and data: processing European personal data - updated January 2021

One of the biggest impacts which Brexit will have had on UK organisations from an operational point of view, is on their processing of personal data about European Union (EU) citizens once the UK leaves the EU. This is the second of two briefings in which we continue to explore the implications of Brexit for UK organisations which process personal data, and their ongoing compliance with data protection law.

In this briefing, we consider how UK businesses conducting cross-border trading in the EU will be affected by the General Data Protection Regulation (2016/679) (GDPR) as it applies in the EU (and the EEA, by virtue of incorporation of GDPR into the EEA Agreement), now that the UK has left the EU, and in particular, how the end of the transition period has brought about:

• the requirement to adjust to having a new data protection regulator in place of the ICO (in respect of their EU activities); and
  
  
• the requirement to appoint a representative in the EU.

The first point is not a surprise – businesses trading overseas, particularly when consumer facing, regularly need to decide how far to mould their trading operations around complying with local law to the letter, or whether to take the risk of a "one size fits all" approach, which is already the case with GDPR. The second point is new to UK businesses. In this briefing, we aim to not only inform you of the issues, but also draw your attention to the practical steps you should think about now, if you haven't already done so. 

This briefing note was first written prior to the end of the transition period, as a list of data protection action points for businesses to follow in order to prepare for the end of the transition period. However, at the time of update, the UK has formally left the EU (on 31 January 2020) and the transition period came to an end on 31 December 2020. Nevertheless, the points are still pertinent for any business which has yet to turn its attention to Brexit preparedness, or is in the process of making operational changes.

Please note that none of the issues that we write about in this note are affected by the data bridge that was put in place in the Christmas Eve Trade Co-operation Agreement between the EU and the UK, and that we will write about in the context of Brexit and data transfers in our briefing on that topic, which is the process of being updated.

As we saw in that briefing, during the transition period, the  GDPR continued to apply to those organisations in the UK which fell within its scope, to both their processing of personal data about UK data subjects and their processing of personal data about EU data subjects. However, the landscape changed when the transition period came to an end: businesses which operate in both the UK and the EU now have two data protection regimes to consider.

In addition to complying with data protection law in the UK, UK businesses will need to comply with GDPR as it applies in the EU, if:

• they have an establishment within the EU and process personal data in the context of the activities of that establishment; or
  
  
• they are not established in the EU (ie they just have an office in the UK or another third country), but they process personal data of data subjects who are in the EU, where the processing activities are related to the:
  
  - offering of goods or services to such data subjects in the EU; or
  
  - monitoring of their behaviour (as far as their behaviour takes place within the EU).

(Organisations in the UK will also have to continue to comply with GDPR, in respect of any personal data about EU data subjects which they held and processed before the end of the transition period (and which they continue to process), as well.)

Of course UK businesses trading in other Member States already need to comply with  GDPR as interpreted under two (or more) separate systems of law, as  GDPR allows local derogations in Member States, and variances will exist. However, the UK has traditionally adopted a high standard of data protection in comparison to other Member States. So in practice, for the time being, and while the two systems are broadly parallel, there may not be many instances where UK businesses will need to adapt their operations to be in line with different data protection standards in the EU. Therefore this shouldn't, in theory, be a major problem for now.

However, Brexit has thrown a spanner in the works when it comes to coordinating EU operations via the "one stop shop" (OSS) principle, which would normally have been a handy way of dealing with deviances in approach to data protection amongst the Member States.

Until the end of the transition period, UK businesses could benefit from the OSS principle, which allows a single data protection authority (it would have been the ICO for most UK businesses) to be designated as the lead supervisory authority (LSA) for organisations, provided that the organisation can demonstrate that they have a "main establishment" (or "single establishment") in that jurisdiction (see box below for further details). The LSA for a business becomes the sole interlocutor for cross-border processing issues.

The LSA can be used to coordinate actions and complaints regarding cross-border processing (e.g. a complaint originating in France or Germany), with the help of other "concerned DPAs" (i.e. other data protection authorities in Member States affected by the processing).

The difficulty for many UK businesses is that, with effect from the end of the transition period, the ICO can no longer be the LSA. It follows that unless UK businesses can demonstrate otherwise or structure their operations accordingly, their main establishment (as defined in the GDPR and explained in European Data Protection Board (EDPB) guidelines) will be in the UK, not in the EU. Therefore, they cannot benefit from having a LSA in the EU or from the OSS principle in general.

Unfortunately, without an establishment which can clearly be shown to be a "main" or "single" establishment, or indeed without any physical presence in the EU, UK businesses must now deal with each supervisory authority in each Member State in which they are active, so it would be prudent to ensure you are familiar with the reach of your operations from a GDPR perspective.

Even if a UK business has no establishment within the EU, the GDPR can still, in the instances set out in section 2 of this briefing, apply. However, a new requirement for such businesses (and indeed any business outside the EU whose personal data processing activities are such that the GDPR applies by virtue of its extra territorial effect and which to date has relied on an EU representative based in the UK) is that they have to appoint a representative in the EU, in one of the countries where affected EU citizens live.

The representative will be the primary point of contact for UK businesses for cooperating and communicating effectively with supervisory authorities and data subjects on issues of data processing, for the purposes of ensuring compliance with the organisation's obligations under the GDPR, and must be authorised in writing by the business to be addressed in addition to, or instead of, that business – a service contract between the UK business and the representative would suffice. Consequently, you should only appoint someone you would trust to pass on communications to you promptly – traditionally businesses have appointed a fellow group company in comparable situations, but this won't be feasible for everyone.

Failure to appoint a representative pursuant to GDPR could result in a fine up to the greater of €10 million or 2% of global turnover, so this should definitely make it onto the list of Brexit action points for UK businesses. 

To the extent they haven't done so already, UK businesses to which the GDPR applies should consider taking the following steps:

• Check for material variances in interpretation of the GDPR in those Member States where your data subjects reside (for example, variances in data breach notification requirements or requirements to appoint a data protection officer), to avoid the risk of falling foul of EU practices or interpretations which differ from those of the UK. Any such variances should be worked into a business' internal response and privacy policies.
  
  
• Consider if you are still able to benefit from the OSS principle/consider whether this is something which is particularly desirable for your business. If it is, and to the extent that you are able to influence the situation, do you have a particular LSA in mind? In order to benefit, you'll need to show that you have a "main" or "single" establishment in the particular Member State of the LSA. See box for further details.
  
  
• Appoint an EU representative if you are processing personal data about EU data subjects and you are doing so from the UK or another base outside the EU – and update your privacy policies/data collection notices with this information, to make sure that you are complying with your transparency obligations in this regard.