How Brexit affects personal data transfers to and from the U.S.

The UK’s transition out of the EU (Brexit) will end on 31 December 2020, bringing with it major changes to the way organizations interact with stakeholders based in the country.

It’s not just UK–EU relationships that will be affected; the end of the transition period may also have major repercussions for U.S.-based organisations – particularly if they use the UK as their European base.

Let’s take a look at how your organization’s process might have to shift in the next few months.

You may need a new supervisory authority

Under the GDPR, organisations outside the EU need to select a LSA (lead supervisory authority) to oversee their compliance. In the UK, this is the ICO (Information Commissioner’s Office).

If you currently use the ICO as your LSA, you must find an alternative by the end of the year. This means identifying the EU data protection body that is most appropriate to the business you do. 

Most countries have a single watchdog (with the exception of Germany, which has one for each of its 16 states as well as a federal one), so this is generally a case of identifying which country you do most of your business in and identifying its supervisory authority. 

So, for example, if you mostly process Spanish residents’ personal data, your LSA should be the Spanish Data Protection Authority.  

Once you’ve made your choice, you must determine whether any specific actions are required. You may be required to register with the LSA and pay a fee. 

You should also review any differences in the way your new LSA approaches GDPR compliance and adjust your practices accordingly. 

For example, the Regulation gives supervisory authorities the option to adjust the age at which someone is no longer a minor, and to interpret its rules however it sees fit.

What about the Privacy Shield?

You might be wondering how the invalidation of the EU–US Privacy Shield affects your Brexit preparations.

In July 2020, the European Court of Justice ruled that the U.S. government’s mass surveillance practices contradicted the protections that the Privacy Shield was supposed to provide, forcing organizations to seek an alternative approach to transatlantic data transfers.

Experts have agreed that the most appropriate solution is SCCs (standard contractual clauses), which are legal contracts that outline the terms and conditions for data transfers.

U.S. organizations can use European Commission-sanctioned SCCs for EU data transfers, but they must create UK-specific ones for transfers to and from that country.

Appointing an EU representative

U.S.-based organisations (with the exception of public bodies) that regularly process EU residents’ personal data – and without a physical presence in the EU – must establish an EU representative.

This person is responsible for:

  • Responding to any queries the supervisory authorities or data subjects have concerning data processing; 
  • Maintaining records of the organisation’s data processing activities; and 
  • Making data processing records accessible to the ICO. 

If your EU representative is based in the UK, you must find an alternative before the Brexit transition period ends.

You should not that having an EU-based subsidiary may not excuse you from this requirement, particularly if it doesn’t have control over the data-related decisions of the business, or the power to implement them.

If you’re worried about finding a representative on such short notice, IT Governance USA is here to help. With our GDPR EU Representative service, you’ll be assigned a qualified data privacy, legal and compliance expert to fulfil your representative requirements.

Brexit is coming; make the required changes now!