Post-Brexit Personal Data Breach Reporting – An End to the ICO’s Role as One-Stop-Shop Lead Supervisory Authority

0
99

The end of the Brexit implementation period on December 31, 2020 has significantly changed the data protection landscape for companies based in the UK. With the headlines about data transfer issues and a possible adequacy decision for the UK in the coming months, businesses also need to be aware of significant changes in the way in which cross-border personal data breaches are reported to data protection authorities (DPAs) from a UK perspective ) in the future.

The GDPR has introduced a “one-stop-shop” principle, which enables companies to report cross-border violations of personal data to a lead supervisory authority (LSA) in the EU / EEA member state of their main office. A key advantage of this system is that companies typically only need to deal with a single data protection authority with regard to the investigation of the breach and the resulting enforcement. Before the end of the transition period, the UK ICO could serve as an LSA for companies headquartered in the UK in the event of a cross-border breach – in fact, many high-profile breaches that have been investigated by the ICO since GDPR implementation was cross-border in nature and included the ICO as LSA.

While the GDPR itself is enshrined in UK national law, the status of the ICO has now changed. Data processing that is carried out in the UK branch (s) of a controller and affects data subjects in the EU / EEA is no longer considered cross-border data processing within the meaning of the GDPR and is no longer possible for the ICO as an LSA according to to serve the one-stop-shop principle.

The ICO has provided helpful guidance on what this will mean in practice in relation to cross-border personal data breaches with a UK element, including four sample scenarios which can be summarized as follows:

  1. A personal data breach affecting individuals in the UK and the UK one EU / EEA member state in which the controller is established just In Great Britain and in this EU / EEA member state, the ICO and the data protection authority in the EU / EEA must be notified to the ICO and the data protection authority in the EU / EEA member state, assuming that the damage risk threshold specified in Article 33 of the GDPR has been reached.
  2. If this personal data breach involves natural persons in the UK and in several EU / EEA member states, the breach must be reported to the ICO and the Data Protection Authority in the EU / EEA member state in which the controller is in that capacity The data protection officer is established as LSA within the EU / EEA.
  3. When this personal data breach involves individuals in the UK and UK several EU / EEA member states – and if the controller is in several EU / EEA member states – the violation must be reported to the ICO and the LSA within the EU / EEA – which must be identified with reference to the applicable EDPB guidelines.
  4. When this personal data breach involves individuals in the UK and UK several EU / EEA member states, but the controller has no facilities In the EU / EEA, the violation must generally be reported to the ICO and the data protection authority in every EU / EEA jurisdiction in which natural persons are affected. This could mean that a controller would have to notify a large number of data protection authorities of the same breach and in theory could be investigated and fined by any of them.

The fact that the ICO can no longer function as an LSA under the one-stop-shop mechanism clearly makes it difficult to report personal data breaches in the UK and in the EU / EEA.

In particular, the fourth scenario described above could mean that significant additional resources are required to deal with the regulatory consequences of a significant personal data breach. That is, if a UK data controller has appointed an EU / EEA representative under Article 27 of the GDPR (which the GDPR requires if it is not based in the EU / EEA and falls within the territorial scope of the GDPR as per Article 3 (2) may justify notifying only the data protection authority in the Member State where that representative is located, in accordance with the applicable EDPB guidelines, and in this context it may allow data controllers of any future breaches against personal data can be very helpful to ensure compliance with the requirements of Article 27.

Likewise, the scenario could represent three complex situations if it is not immediately clear which EU / EEA branch is to be regarded as the main branch of the data controller in the EU / EEA – and which data protection authority is to be regarded as an LSA in a certain context.

UK-based controllers would be wise to consider which of the above scenarios might apply to them in the event of a personal data breach and update their policies, procedures and resource allocations accordingly.

Budding attorney Nicolas Bennett-Jones contributed to this article.