2019 saw many law firms working on ‘agile’ projects that focussed on enabling employees to work from multiple locations and devices but 2020 is likely to ask a different question - how ‘agile’ is your data.
On 31 January 2020 the UK will formally adopt the withdrawal agreement and commence preparations for leaving the EU a year later. With all the talk surrounding the various scenarios that could happen, it is useful to look at the potential effect on data transfer and what that might mean for organisations and their IT systems.
Elizabeth Denham the UK Data Commissioner in December stated:
When part of the EU, GDPR and the UK Data Protection Act 2018 governed how we process personal data and in particular what we must do if transferring personal data to non-EEA jurisdictions. Leaving the EU results in some interesting challenges.
Subject to appropriate protections and application of the core GDPR data protection principles, EU countries are effectively free to transfer data between themselves. To legally process or share data outside of the EEA we are obliged to determine whether the destination is on the EU’s adequacy list (now to be adopted by the UK) and if not contractually protect the transfer using Binding Corporate Rules (BCRs) if an intra organisation transfer or Standard Contract Clauses (SCCs) if to another legal entity. There are some derogations to this but these are only to be used in limited circumstances.
There are three main operating models:
Model 1 – Brexit has no impact
Model 2 – You may have competition from firms who guarantee client data does not leave Europe. You will likely be asked by clients to make provision for the transfer of their data outside of the EU.
This may result in a significant client contract review if previous arrangements relied on the UK being a member of the EU.
Model 3 – As model 2 but EU offices will also need to make provision for the sharing of their client and employee personal data with the UK office. Any supplier contracts that previously relied on the UK being within the EU may need to be revised.
In a ‘leave’ scenario, the UK will become a third party as far as data transfer is concerned effectively placing us in the same legal position as countries such as India or China.
It is important therefore to plan for how we intend to legalise the processing and sharing of client and employee data between our own offices and with clients.
For a UK office to share UK client data with EU offices will remain mostly unaffected but the sharing of data in the other direction ( EU to UK) will need new provisions and protections.
At LawFirm LLP, the Document Management, CRM and Accounting systems hold international client data with some clients mainly handled by their German and French offices. The systems are hosted in a London data centre and the IT, Finance and Marketing teams are based in the London office.
In this scenario LawFirm LLP will have two options to ensure their personal data processing is legal following a ‘leave’ scenario;
There is the possibility of using client consent as an exception to the above but this is only to be used in limited circumstances and would likely require complex administration processes.
Another consideration is whether or not to appoint a ‘representative’. GDPR Art 27 requires that organisations outside of the EU offering goods or services to organisations within the EU may need to appoint a ‘representative’ to govern data protection and be the point of contact for Data Subjects and Data Protection Authorities.
As a consequence, the ICO has also indicated that in a ‘leave’ scenario a UK-based firm that does not have any offices in the EEA but offers goods or services to EEA individuals will need to consider appointing a European representative.
The specific example given by the ICO is as follows:
The ICO guidance on representatives due to Brexit can be found here.
Copyright © 2019 Legal IT Professionals. All Rights Reserved.