If you're wondering what impact Brexit will have on the GDPR and your use of data within dotdigital Engagement Cloud, and what we're doing to prepare for Brexit, then we hope the following FAQ helps.
Informational purposes onlyPlease note that this is provided for informational purposes only. For more information on the consequences for you, please see the Government's Brexit advice pages or seek your own legal advice.
For any specific queries relating to Brexit and dotdigital's preparations for it, please contact firstname.lastname@example.org.
What is a ‘no deal’ Brexit?
A ‘no deal’ scenario is a scenario where the UK leaves the European Union and becomes a ‘third country’ at 11pm GMT on 31 October 2019 without a Withdrawal Agreement and framework for a future relationship in place between the UK and EU.
What will the effect be of a ‘no deal’ Brexit?
In the event that the UK fails to secure a deal with the EU27 regarding the UK’s withdrawal from the European Union, the UK will become a ‘third country’. This means all existing EU legislation, agreements and arrangements that the UK has in place with the EU shall cease to be applicable in the UK.
What does this mean for the GDPR and the Data Protection Act 2018?
The GDPR has direct effect across all EU member states and has already been passed. This means organisations will still have to comply with this regulation and we'll still have to look to the GDPR for most legal obligations. However, the GDPR gives member states limited opportunities to make provisions for how it applies in their country. One element of the Data Protection Act 2018 is the details of these. It's therefore important the GDPR and the DPA 2018 are read side by side.
As preparation for the UK leaving the EU, the European (Withdrawal) Act 2018 has been ratified into law. Two of the main functions of this legislation are repealing the European Communities Act 1972 and transposing all existing EU law into UK national law. As such, the GDPR will become UK national law alongside the DPA 2018 and will continue to be applicable within the UK.
If the GDPR will continue to be applicable, why will there be a problem?
Although, as outlined above, the GDPR will be transposed into UK national law by the European Union (Withdrawal) Act 2018, the GDPR still provides that any transfers of data relating to an EU data subject outside of the EEA to ‘third countries’ is prohibited.
As of 31 October 2019, the UK will be a ‘third country’ in the event of a 'no deal' Brexit and therefore transfers to the UK will be prohibited unless certain precautions are put in place prior to any transfer.
What is an 'adequacy decision'?
You may have read about the UK receiving an ‘adequacy decision’ in relation to ongoing data protection obligations, negating the concerns of the UK being viewed as a ‘third country’.
The European Commission has the power to determine whether a country outside the EU offers an adequate level of data protection, whether by its domestic legislation or of the international commitments it has entered into. The effect of such a decision is that personal data can flow from the EU to that third country without any further safeguard being necessary. In other words, transfers to the country in question will be assimilated to intra-EU transmissions of data.
The European Commission has so far recognised Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the United States as providing adequate protection.
The EU27 have made it clear that any adequacy decision for the state of the UK’s data protection regime can only take place once the UK has left the EU. The assessments and negotiations have usually taken many months. Although it's the ambition of the UK and the EU to eventually establish an adequacy agreement, it won’t happen immediately following the UK’s departure from the EU. As such, until an adequacy agreement is provided, businesses will have to make use of other legal mechanisms to transfer data outside of the EU.
Will transfers from the UK to the EU be affected?
The UK’s Information Commissioner's Office has already made it clear that the flow of data to the EEA from the UK will not be affected in the event of a ‘no deal’ Brexit.
Brexit and dotdigital
What is dotdigital doing to prepare for Brexit?
dotdigital has a team established with key stakeholders across the business (both internal and client facing) to implement contingency planning.
Will Brexit impact the provision of services?
We don't anticipate that Brexit will have an adverse impact on the supply of services to our clients. There are no staffing implications from Brexit. The one key element critical to our provision of services to clients is with regard to client data – we are taking steps to address these concerns as outlined in this FAQ.
Which dotdigital clients will this affect?
Brexit will affect any dotdigital clients that are located within the EEA or that uploads data about individuals located within the EEA.
Where does dotdigital store data?
The dotdigital Engagement Cloud platform is hosted on Microsoft Azure Data Centres. Data for our European clients is held in the West Europe region (Netherlands), with data being backed up to the North Europe region (Ireland). You can check out this map showing the Azure date centre locations.
Why will dotdigital transfer data to the UK?
dotdigital uses data centres located within the EU as outlined above. However, dotdigital is primarily a UK-based business. UK-based staff will need to access this data for the purposes of providing our core services, as well as providing support and professional services.
How will dotdigital continue to transfer data from the EU to the UK in the event of ‘no deal’?
In the event that the UK leaves the EU without a deal, the UK will be considered a ‘third-country’ for the purposes of the GDPR. As the UK will have no adequacy decision in place, transfers from the EEA to the UK will have to be done in line with appropriate safeguards outlined in Article 46 of the GDPR.
As a group, we ensure that we have adequate safeguards in place across our organisation and global entities. We have an intra-group agreement incorporating the EU Model Contract Clauses and ensure that the EU Model Contract Clauses are in place with our sub-processors.
How will this impact clients?
To ensure the ongoing provision of services comply with European data protection legislation, we are urging our clients to enter into Model Contract Clauses with dotdigital.
If you're based in Europe, we will be reaching out to you with a copy of these for signature. If you wish to request EU Model Contract Clauses with dotdigital, please email email@example.com.
We've purchased .EU domains through dotdigital – will these be affected?
Any .EU domain that has been registered by a UK individual or business will be affected, as the regulatory framework for the .EU Top Level Domain will no longer apply to the UK from the withdrawal date.
If you believe that this affects you, please read the guidance issued by the .EU domain authority.