The transition period is over. We’re now one month into Brexit and many companies have been asking themselves what the consequences will be for their business, their clients and their outbound marketing throughout the UK.
Here’s what we know so far.
Data protection and UK adequacy
The free flow of data between the UK and Europe supports more than £100 billion in trade. So, when we say that a mutually acceptable agreement on data transfer is important, that’s putting it mildly.
As part of the Brexit deal, the UK and European Union have agreed to a short-term arrangement which allows the free flow of personal data between the UK and Europe.
What happens next boils down to UK adequacy regarding data protection. Post-Brexit, the UK is deemed a `third county’ – and the European Commission has the power to decide whether a third country has adequate levels of data protection.
Provided the UK’s laws are considered adequate, things can continue as before.
But what happens if the European Commission decides that our laws are not adequate?
We don’t yet know, but you may want to consider SCCs.
By way of a quick reminder, international standard contractual clauses (SCCs) allow businesses to transfer personal data to a third country – in other words, countries outside the UK and EEA which don’t have an adequacy decision from the European Commission.
If you’re a small or medium sized business, SCCs are probably your best option. There are no realistic alternatives.
For larger organisations, or those with well-established transfer mechanisms, you may not need SCCs provided your group has approved binding corporate rules (BCRs) in place.
As mentioned, the need for SCCs will depend on the decision regarding UK adequacy. We’ll keep you posted on this.
Do you need an EU representative?
Post-Brexit, companies based in the UK will need to appoint an EU representative if:
• You offer goods and services to individuals in the EEA, or
• monitor an individual’s behaviour, and
• you don’t have a branch, office or establishment in an EEA state.
You may be wondering about what is meant by `monitoring an individual’s behaviour’ – and to be honest, we are too. At the time of writing, it’s unclear.
The ICO have told us that an `EEA individual’ includes a business employee, and that `monitoring behaviour’ can cover behavioural advertisement and geo-localisation activities. Therefore, if your marketing targets EEA employees based on what they do and where they are located, you could run into difficulties without an EU rep.
That said, if you contact them simply because of their specific business sector, you should be OK. Their location and behaviour are irrelevant.
The need for an EU representative: a quick checklist
Does your organisation do the following?
• Describe products or services in the language of an EU member state?
• Offer prices in Euros?
• Run marketing campaigns targeted at an EU audience?
• Mention dedicated contact details to be reached from an EU country?
• Use top-level domain names such as .de or .eu?
• Mention customers based in one or more EU states?
If the answer is yes to any of those, appoint an EU representative. However, provided your marketing activities are NOT actively targeting EU citizens, this won’t be necessary.
Brexit means that the one-stop shop has fallen away. The UK (and ICO) are no longer the lead supervisory authority for the EU when it comes to managing breaches of GDPR.
In the UK, the GDPR has now been replaced by UK GDPR. While most of its provisions mirror that of the GDPR, there are still a number of unknowns – including how the ICO will coordinate and cooperate with EU data protection authorities over breaches.
Potentially, there may be unintended consequences. For example, could UK organisations be punished twice for any breach of data laws – by the ICO under UK GDPR, and additionally by any number regulators in the EU?
Again, we don’t yet know.
Most of these unknowns will be cleared up in about 6 months’ time when the European Commission makes its decision regarding UK adequacy.
If we hear anything in the meantime, we shall keep you posted.