Don’t forget your data – One more for your Brexit “to do” list

by Sascha Schneider CIPP/E

In 1847, Fry’s gifted us the chocolate bar. In 1989, the worldwide web brought the world to our desktop. In 2016, ‘Brexit’ arrived… What do these three world changers all have in common? They were all great British inventions!The first, we love to love. The second, we love to hate, while secretly loving it. The third… The verdict is out, and is likely to remain out, for years to come.

Until we know the nature of the post-Brexit UK- EU relationship, we just have to sit and wait for the political waves to settle, but as organizations, we need to start planning.

UK enters a new club

By now, we’re all aware that the majority vote of the British public on June 23, 2016 was for Britain to exit from the European Union.

Overnight, the UK’s membership of the EU’s exclusive ’28 Club’ was revoked and the membership count dropped to 27, not, I hasten to add, to be confused with infamous ‘The 27 Club‘!

What now for HR & Payroll teams?

Until the UK officially notifies the European Union of its intention to leave the EU (Art. 50.2 Treaty of the European Union), no one really knows!

From here, there will be a minimum two year transition period for all treaties between the UK and the EU to cease their effectiveness (art. 50.3), and throughout this.

UK and EU civil servants will have to managed this humongous workload to get through to get to a satisfactory point from which we can all move forward effectively.

HR and payroll teams don’t have this luxury of two years!

You hold people’s personal data. Without exception, data storage must be compliant with the jurisdiction in which it sits, or perhaps the personnel realting to the data sit? Why can’t data law ever be clear cut?

With immediate effect, you must be clearcut in your handling of HR and payroll data – at every point in the transition from Britain in the EU to Britain out of the EU. This is likely to involve the adoption of new standards, legislation that will only remain compliant for the duration of the UK / EU negotiation period. A major investment of time for a very short-term outcome.

What must be changed as a matter of urgency?

The quick answer is: “it’s business as usual”.

Current EU data protection legislation is based on the EU Directive 95/46/EC, a law that has to be implemented into national legislation to be fully effective.

In the UK, this was done through the UK Data Protection Act 1998. This law has been signed-off by the UK parliament and is, and remains, a fully recognized British law.

It’s not an EU law. It’s not a co-operative law. It is a British law, and irrespective of what else happens – Great Britain will continue to have a robust data protection law!

What about the new EU General Data Protection Legislation?

As we highlighted in our post, two weeks ago and pre-Brexit, the EU’s General Data Protection Legislation was approved a few months ago and will be fully effective from May 25, 2018.

If you now get your calculators out (I’m a jurisprudent. I need one for everything!), the absolute earliest date the UK can withdraw from the EU is October-November 2016,if all goes to plan.

The GDPR, a single law, not an entire legislative system should have been approved in late 2014 and was not, so I would suggest that the UK’s effective withdrawal date is ambitious!

Either way, the May 25, 2018 introduction date for the EU’s GDPL comes at least five months ahead of this. We have a mismatch!

UK organisations must still plan for EU GDPL compliance

This mismatch in timings means that if you are responsible for individual’s data in the UK, you must (continue to) prepare to ensure your data is fully compliant with the new legislation, however short-lived this requirement might be.

Is all clear?
On June 24, 2016, an ICO spokesperson from the UK Data Protection Authority said:

“If the UK is not part of the EU, then upcoming EU reforms to data protection law would not directly apply to the UK.”

“But if the UK wants to trade with the Single Market on equal terms we would have to prove ‘adequacy’ – in other words UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation framework starting in 2018.” (sic)

They also said that “international consistency” with data protection laws is “crucial” to businesses, organizations, consumers and citizens.

We can assume, therefore, that the ICO has already noticed this discrepancy in timings.

Adequacy in data

Jersey, Guernsey and the Isle of Man are not members of the European Union, but they do have an “adequacy agreement” with the EU Commission in regards to data protection.

This means that EU organizations can freely transfer data to these locations as if they are members of the EU without the need for EU Model Clauses or consent. This is vital for any international organisations with global payroll operations.

It is hoped that Great Britain is able to negotiate a similar “adequacy decision”, which is why it is vital that data managers in the UK continue to implement the GDPR provisions.

It all seems so easy…

There is always a bitter pill with any legislative change, and with Brexit, this pill is no easier to swallow! When Britain leaves the European Union it is no longer under the direct jurisdiction of the GDPR.

The direct impact to UK organisations

  • End of the One-Stop Shop feature for a company operating in the UK, but with an HQ in an EU country. It will still need to be registered with the ICO and in another EU country (if the law does not change)
  • An EU-representative will be required as a point of contact for all data protection authorities if a UK business wants to do trade in the EU and process EU citizens’ data
  • Implementing the breach notification depends on the final course taken in the exit process – businesses should be prepared to notify all breaches to the authority (as already recommended by the ICO)
  • UK will no longer benefit from EU-wide adequacy decisions to transfer data across the globe e.g. to Canada, Argentina or, once the long-hailed Privacy Shield is approved, the US. Instead, businesses will need to implement a new “adequacy decision” process or contractual clauses with off-shore locations
  • Even if the GDPR is not directly applicable, a business could still be fined for not processing EU citizen data correctly

Closing thoughts

Brexit is an unprecedented event in the long history of the European Union and personally I, like many of my colleagues in the UK and across Europe, was surprised by the outcome of the referendum.

There is a lot to do on local and on European levels to limit, wherever possible, any potential negative impacts on British and EU companies.

From a data protection perspective, nothing much will change – provided the negotiations follow a reasonable course. Whatever happens, the UK will need to trade with EU countries and will need to be in a good position to transfer data in order to do this.

There is a very high probability that with a few amendments to the UK Data Protection Act, the UK will receive an “adequacy decision” from the EU, making it compliant with the provisos of the GDPR which, as already mentioned, is likely to be implemented anyway considering the mismatched timelines.

Disclaimer: the author and/or NGA HR do not have any political interests and/or opinions on ‘Brexit’. This article is purely of informative nature and does not constitute legal advice. You should always seek independent legal advice for more information on the possible impacts of ‘Brexit’, the General Data Protection Legislation, or the UK Data Protection Act.