Now Brexit is a certainty - how agile is your data?

13
Jan
2020

Tim Hyman

2019 saw many law firms working on ‘agile’ projects that focussed on enabling employees to work from multiple locations and devices but 2020 is likely to ask a different question - how ‘agile’ is your data.

On 31 January 2020 the UK will formally adopt the withdrawal agreement and commence preparations for leaving the EU a year later. With all the talk surrounding the various scenarios that could happen, it is useful to look at the potential effect on data transfer and what that might mean for organisations and their IT systems.

Elizabeth Denham the UK Data Commissioner in December stated: 

When part of the EU, GDPR and the UK Data Protection Act 2018 governed how we process personal data and in particular what we must do if transferring personal data to non-EEA jurisdictions. Leaving the EU results in some interesting challenges.

Subject to appropriate protections and application of the core GDPR data protection principles, EU countries are effectively free to transfer data between themselves. To legally process or share data outside of the EEA we are obliged to determine whether the destination is on the EU’s adequacy list (now to be adopted by the UK) and if not contractually protect the transfer using Binding Corporate Rules (BCRs) if an intra organisation transfer or Standard Contract Clauses (SCCs) if to another legal entity. There are some derogations to this but these are only to be used in limited circumstances.

Data Transfer Operating Models

There are three main operating models:

1. You are a law firm established only in the UK providing services solely in the UK and sharing no personal data with other clients or organisations outside the UK;
2. You are a law firm established only in the UK providing services to clients in the UK and the EU;
3. You are a law firm established in the UK sharing data with your offices, clients or other service providers who are based in the EU.

Model 1 – Brexit has no impact

Model 2 – You may have competition from firms who guarantee client data does not leave Europe. You will likely be asked by clients to make provision for the transfer of their data outside of the EU.

This may result in a significant client contract review if previous arrangements relied on the UK being a member of the EU.

Model 3 – As model 2 but EU offices will also need to make provision for the sharing of their client and employee personal data with the UK office. Any supplier contracts that previously relied on the UK being within the EU may need to be revised.

So what does that mean for IT systems?

In a ‘leave’ scenario, the UK will become a third party as far as data transfer is concerned effectively placing us in the same legal position as countries such as India or China. 

It is important therefore to plan for how we intend to legalise the processing and sharing of client and employee data between our own offices and with clients.

For a UK office to share UK client data with EU offices will remain mostly unaffected but the sharing of data in the other direction ( EU to UK) will need new provisions and protections.

Example scenario

At LawFirm LLP, the Document Management, CRM and Accounting systems hold international client data with some clients mainly handled by their German and French offices. The systems are hosted in a London data centre and the IT, Finance and Marketing teams are based in the London office.

In this scenario LawFirm LLP will have two options to ensure their personal data processing is legal following a ‘leave’ scenario;

1. 1 It prevents the French and German client and employee data from being shared with the London based systems by setting up hosted solutions somewhere in Europe.
2. 2 It creates either Binding Corporate Rules or Standard Contract Clauses signed by all offices.

There is the possibility of using client consent as an exception to the above but this is only to be used in limited circumstances and would likely require complex administration processes.

Data Protection Representatives

Another consideration is whether or not to appoint a ‘representative’. GDPR Art 27 requires that organisations outside of the EU offering goods or services to organisations within the EU may need to appoint a ‘representative’ to govern data protection and be the point of contact for Data Subjects and Data Protection Authorities.

As a consequence, the ICO has also indicated that in a ‘leave’ scenario a UK-based firm that does not have any offices in the EEA but offers goods or services to EEA individuals will need to consider appointing a European representative.

The specific example given by the ICO is as follows:

The ICO guidance on representatives due to Brexit can be found here. 

Next Steps

1. Using a data flow map, determine which data relationships will be impacted by the UK leaving the EU.
2. Assess client/customer requirements and determine whether current data locations should be changed.
3. Assess client/customer requirements and determine whether current processes should be changed.
4. Assess the viability of Binding Corporate Rules.
5. Determine whether Standard Contract Clauses are required.
6. Update Privacy Notices so as to comply with the transparency requirements.
7. Assess the requirement for a representative.

To discuss any of these matters in more detail or for help with any of your GDPR or Information Security challenges contact Tim Hyman at  This email address is being protected from spambots. You need JavaScript enabled to view it. .