Brexit Data Protection Check | PDSC Advice Guides

Yes/No

The lead supervisory authority you choose should be in the country where most of your EU data subjects reside.

This might include registration fees or requirements to provide extra information about processing activities.

The guidance provided by your lead supervisory authority should be your first port of call for processing involving EU data subjects, even if you’ve been following Information Commissioner’s Office (ICO) guidance until now.

Some supervisory authorities may want to see certain types of evidence if they need to investigate. It’s important to make sure your processes can produce this evidence before there’s a problem.

Any organisation based outside the EU that regularly processes the personal data of EU residents needs to appoint a representative within the EU. If you need to appoint one, it’s best to get started now – capacity will likely be limited.

Your representative will be who EU data subjects and the supervisory authority will go to if they have any requests, so they need to be able to respond to things like DSARs.

The EU GDPR requires you to notify the lead supervisory authority about your representative. Some authorities might require this to be in writing.

Yes/No

Article 13 and Article 14 notices need to give data subjects information about how to contact your EU representative and tell them who the supervisory authority is.

From 1 January, transfers between the EU and the UK are international transfers, so you need to provide information about how these transfers are secured.

They’re not always necessary, and some of the conditions requiring them will change in the UK. It’s possible that you won’t need one under the UK GDPR, but will under the EU GDPR.

The DPO will be required to communicate with the supervisory authority, so they may need to be relatively fluent in the local language or have access to a resource who is. Some legal expertise in that country could also be valuable.

If you have a DPO and operate in both markets, your DPO needs to fulfil both sets of requirements, so you need to be sure they can stay up to date.

Records of processing activities will probably need to be updated, especially where there are now transfers between the UK and the EU. The UK GDPR also requires more information in the record.

International transfers – among many other things – are potentially risks to the rights and freedoms of data subjects, so you should make sure you review all your DPIAs and address any new risks.

The UK has been granted adequacy by all the countries considered adequate by the European Commission, except for Andorra (so far). If Andorra and the EU do not grant the UK adequacy by the end of the transition period, organisations will need to change their lawful basis for the processing.

This might include transfers back into the UK. If you use a supplier in the EU, for instance, they may be required to put SCCs in place to send the data back to you.

The Schrems II decision made it clear that SCCs alone may not be enough to secure data transfers.

While you could just add the SCCs to the end of your processing contracts, it’s important to make sure that the rest of the contract supports them. This might mean renegotiating the arrangement.

If you need to review a lot of contracts, your approach might benefit from being updated to account for the new regulatory environment.

If you’re not prepared, this could become a serious issue. Any critical processors should be a priority, so you can make arrangements for other providers in case they can’t meet the new requirements. The same might apply to you if you rely on customers from the EU.