GDPR, Brexit and Events
NOTE: the UK left the EU on 31st January 2020 and entered the 'transition period' until 31st December 2020. The key points of the article below continue to be relevant throughout the transition period, as it is not clear what sort of future relationship will be finalised between the UK and the EU.
The EU General Data Protection Regulation (GDPR) came into force on 25th May 2018, requiring organisations to put data protection measures in place when either offering goods and services or monitoring the behaviour of individuals within the EU. GDPR's reach is global, so can impact on any company, regardless of where in the world they are based. Failure to comply can lead to hefty fines and considerable reputational damage.
In June 2016, the UK voted to leave the European Union (Brexit) and is currently scheduled to do this by 31st January 2020, with a deal or without one. When it does so, not only will the EU GDPR continue to apply to UK companies that process the data of individuals in the EU, but the UK plans to create parallel legislation for individuals in the UK. This means there will effectively be 2 GDPR legislations in place, with implications on businesses globally.
The article looks at the impact of Brexit on GDPR, and implications for all organisations operating in the events industry. Events tend to be international and involve the movement of large numbers of delegates (hence, personal data), so will be impacted by both GDPR and Brexit. However, the main points are applicable to organisations in all sectors.
Disclaimer: The content of this article is for informational purposes only. It is not intended to be legal advice, and nor should it be construed as such. Please consult a data protection professional or legal adviser for guidance on your specific circumstances.
Principles of GDPR
The diagram illustrates the fundamental principles of GDPR. In summary:
- Personal data consists of any data that can identify an individual
- GDPR applies extraterritorially to any organisation that either offers goods and services or monitors the behaviour of EU citizens
- there are six principles for processing personal data
- for processing to be lawful, it must follow one of 6 principles
- individuals have eight rights to their data
- Organisations can either be Controllers or Processors, and they must have a written contract in place between them if they exchange personal data
GDPR after Brexit
Will GDPR still apply to UK businesses after Brexit?
According to the ICO website, the UK will write the EU GDPR into UK law as the 'UK GDPR', and it will apply extraterritorially to any business globally that either offers goods and services or monitors the behaviour of individuals in the UK.
As a consequence, businesses may need to process the data of individuals in the UK separately from individuals in the EU to respect the two different regulations. This essentially means there will be two GDPR legislations - one for individuals in the EU and one for individuals in the UK.
GDPR for Events
There are many different organisations involved within the events lifecycle, as demonstrated in the image above, each providing a specialised service. And there are many kinds of personal data, often shared between these organisations to allow them to perform their services. And because events tend to be global, this potentially means that lists of personally identifiable data (PII, often delegate lists) are passing from one organisation to another, often crossing borders. Typical examples include:
- A UK agency holds a conference in Dubai, with delegates from all over Europe
- A global agency has its Paris and London offices co-ordinating an event in New York with attendees from across the globe
- A Berlin-based corporate is holding an AGM in Madrid / with attendees from the UK and Asia
- A London based agency uses a DMC in Greece (which is in the EU)… or Turkey (which is outside the EU)
- A global corporation uses multiple agencies in different countries to manage their meetings management program
For each example above, multiple lists of personal data may be shared between numerous actors - corporate, agency, venue, hotel, DMC, transfer company, etc. as demonstrated in the image below. And each actor may be local or international, and may further share the data with one or more third party.
International Transfers of Data
Under GDPR, businesses can only share personal data across borders if they have an approved 'data transfer mechanism' for international data transfers. These are:
- Adequacy Decision. This means the country has been adjudged by the EU to have a legal framework in place that provides 'adequate' protection for the rights and freedoms of individuals. The flow of personal data with countries with an adequacy decision is unrestricted, and this is the basis on which data currently flows between EEA countries.
Note: the EEA = EU + Norway, Liechtenstein and Iceland... though not Switzerland.
In addition to all EEA countries, several approved countries also have an adequacy decision, so data flow to and from those countries is unrestricted. There are currently adequacy decisions in place between the EU and Andorra, Argentina, Guernsey, Isle of Man, Isreal, Jersey, New Zealand, Switzerland and Uruguay. It also has partial decisions in place with Japan (private sector organisations only), Canada (if data is subject to PIPEDA) and the USA (Privacy Shield only, see below).
Appropriate Safeguards. Where a country does not have an adequacy finding, one of the EU approved safeguards must be in place before data transfer can be permitted. These are:
- Standard Contractual Clauses (SCC) - these are fixed contracts between data controllers and controllers or processors that must be in place before data can be shared between them
- Approved codes of conduct (CoC) - if the receiver of data has signed up to a code of conduct approved by an EU supervisory authority, the transfer can take place
- Privacy Shield - EU companies can exchange data with US companies without restrictions, provided the US company has Privacy Shield certification.
- Binding Corporate Rules (BCR) - these are used by multinational corporations to share data between the groups' companies. All BCRs have to be approved by an appropriate supervisory authority.
If the safeguards listed above are not in place, data cannot be exchanged with a country or sector that does not have an adequacy decision... unless one of several exceptions, or derogations, apply. The most common of these for the events sector are:
- the consent of the individual - for example, the registration for a congress in Dubai by an individual might construe consent for data to be shared with a hotel in Dubai, provided certain conditions are met
- the contractual obligation for the individual - using the same example as above, registration for the congress in Dubai may be construed as entering into a contract
- the vital interests of the individual - for instance, in the event of a medical emergency
International Transfer of Data
The image shows the current status of data transfer between the EEA and other countries.
- Within all EEA countries, an adequacy decision allows the free and unrestricted flow of data between countries.
- This also applies to other countries that have an Adequacy decision already, as listed in the previous section
- For the USA, note the free flow of information is only with companies that have gained certification under the Privacy Shield. Note also there are two versions of the Privacy Shield - for the EU (covering all EEA countries) and one for Switzerland (which is neither in the EU nor the EEA).
- For the rest of the world, to so-called 'third countries', transfers can only take place if any of the other safeguards are in place - standard contract clauses (SCC), codes of conduct (CoC), binding corporate rules (BCR) or one of the exceptions. Note that unless a US company is certified under the Privacy Shield, it needs to follow the rules of a 'third country'.
UK - EEA Transfers Now
Looking specifically at the data exchange between the UK and the EU currently, there are no restrictions due to the adequacy decision ruling.
UK - EEA Transfers after Brexit
However, when the UK leaves the EU, it will be a 'third country' to the EU and will have to apply for an adequacy decision. This means any transfer of data between the EU and the UK will require an alternative safeguard to be permissible.
However IF the UK enters into a TRANSITION period after agreeing on a DEAL for Brexit, it is likely there will be enough time for the UK's adequacy decision to be approved by the EU so that nothing will change.
IF however, the UK leaves the EU with NO-DEAL, then any transfers between the EU and the UK will need another safeguard IMMEDIATELY. This means, for example, an EU agency that sends rooming lists to London hotels will have to put in place other safeguards (commonly standard contract clauses) before it can continue to send the data.
For data transfers from the UK to the EU, the UK government has already announced that it will recognise all existing adequacy decisions, so the transfer from the UK to the EU will continue unrestricted.
UK-Adequacy Country Transfers
For transfers to other approved countries outside of the EEA with an adequacy decision, transfers from the UK to those countries will continue. However, for data travelling the other way, from those countries to the UK, the UK is currently negotiating with each country on a bilateral basis.
UK - US Transfer after Brexit
The UK is currently making arrangements with the US to create a US - UK Privacy Shield agreement, which should be in place after the transition period. In the event of a NO DEAL, US companies with Privacy Shield certification need to publicly declare that their commitment to protecting personal data includes data from the UK.
Representatives after Brexit
Under the EU GDPR, any organisation based outside of the EEA which does not have a branch or office within the EEA is required to appoint a 'representative' in the country where it does most of its personal data processing. After Brexit, the UK GDPR will have a similar requirement for any international organisation processing the data of individuals within the UK.
Not only does this mean that international organisations might now need to appoint two representatives (one in the UK, one in an EEA country), it also means that businesses throughout the EEA may need to appoint a representative in the UK... and vice versa.
For example, an events agency in Paris that regularly processes the data of delegates from the UK may need to name a representative in the UK. Likewise, for a UK DMC that provides events services to EEA agencies. The primary role of the representative is to communicate with the local supervisory authority, should there be an enquiry or a data breach, and to manage any data subject requests.
The role of the ICO
The ICO (Information Commissioner's Office) is the data protection authority of the UK and currently sits on the European Data Protection Board (EDPB) which governs GDPR. After Brexit, it will continue to regulate data protection in the UK but will no longer be a partner to the EDPB. Also, many of its rulings will become invalid. For example:
- ICO approved BCRs will need to seek a new EU supervisory authority to validate
- any ad hoc contract clauses approved by the ICO will no longer be valid
- the same is true of any ICO approved GDPR codes of conduct or certification schemes
All these will require organisations to find a new lead supervisory authority within the EU, and the concept of the 'one stop shop' will stop applying to UK businesses.
EDPB members currently operate a One-Stop-Shop system between them, which means organisations that work across EEA borders only need to deal with one lead supervisory authority. After Brexit, the ICO will be independent of other EEA supervisory authorities, which means businesses may need to deal with more than one supervisory authority. If, for example, there was a data breach at the UK branch of an international events agency, the agency could face disciplinary proceedings (and fines) from both the ICO and the appropriate EEA supervisory authority.
Another impact is that the current EU 'standard contractual clauses' may be replicated under the UK GDPR, meaning two types of terms may be required for the two types of personal data - UK and EEA. And any existing BCRs will need to be updated to reflect that the UK would be considered a 3rd country by the EEA.
Cloud Service Providers
All the principles about transferring data across borders apply equally to cloud-based systems. Along with standard business applications used by most organisations (CRM, HR, storage etc.), those managing events also use several cloud-based systems for delivery during the events lifecycle. For each of these, an understanding of where (in the world) your data is stored is an essential first step in understanding what additional steps need to be taken to ensure you can continue to use the system after Brexit.
Other Changes After Brexit
This article has focussed on the transfer of data between the UK, the EU and the rest of the world, which is the area most impacted by Brexit. Other actions business will have to take include;
- Updating privacy notices/policies to reflect that UK and EU citizens' data are processed separately, in line with the relevant legislation
- The EU GDPR requires all businesses to keep detailed records of all processing of EU citizens' data - this may need to be replicated for UK citizen's data
- Existing and new DPIA's may need to be updated to reflect the transfer of data across borders
- The assigned DPO (data protection officer) will need to be aware of processing and legislation surrounding the two GDPR regulations
- The long-awaited update to PECR, the Privacy and Electronic Communications Regulation, will not apply to the UK, which will be treated like any other third country by the EU. The UK may pursue equivalent legislation by itself
What should businesses do to prepare for Brexit? Whether there is a DEAL or NO DEAL, companies will need to act, and it is better that they understand the implications now, and have a contingency plan. The news changes daily, and it's possible that the UK will leave the EU on 31st January 2020... or it may not leave on that date..., or Article 50 may be revoked. Much depends on the risk appetite of the company, but an audit of all types of personal data (UK and EU), together with a mapping of the flow of this data across borders should be a starting point.
Smartec Business Solutions provide a number of technology, data and GDPR services for the events sector, including data audits, outsourced DPO and representative services. For details, see www.smartecbs.com/solutions/gdpr, or call Smartec on +44 (0)1784 289974 or email email@example.com
Credits and Resources
This article was written by Arvi Virdee, Managing Director of Smartec Business Solutions.
His email address is firstname.lastname@example.org.
The information came from the following sources:
The UK Information Commissioner's Office website (Data protection if there's no Brexit deal)
The European Data Protection Board website (Information note on data transfers under the GDPR in the event of a no-deal Brexit)
The Privacy Shield website (Privacy Shield and the UK FAQs)
Trustarc webinar (Current state of Brexit and Data Protection Impact)
The Law Society website (No-deal Brexit guidance: Data protection)