This is A MoFo Privacy Minute, where we will answer the questions our clients are asking us in sixty seconds or less.
Question: We recently notified our lead data protection authority in the EU of a data breach we suffered. Do we need to also notify the UK data protection authority (ICO) or will our lead DPA forward the notification to the ICO as part of an ongoing cooperation?
Answer: This is a great question, and the short answer is that you will unfortunately have to make a notification twice if the data breach is also subject to UK privacy laws.
With discussions about Brexit focusing on international transfers, it is sometimes overlooked that Brexit also affects the one-stop-shop mechanism of the GDPR. Companies that have an establishment in the EU can benefit from the one-stop-shop mechanism and thus only notify their lead data protection authority (Lead DPA) in case of a cross-border data breach. However, now that the UK is no longer part of the EU, the ICO requires a separate notification where UK individuals are also affected by the breach. While the ICO states on its website that it “continues to engage with […] individual European Member States, and is developing new international and European relationships following the UK’s exit from the EU,” there is no formal agreement between the data protection authorities that would result in a continuation of the one-stop-shop mechanism.
The good news is that the threshold for notifying a data breach is the same in the UK as it is in the EU, and companies will not have to make separate assessments about whether or not to notify. This is because the UK has adopted a “UK GDPR” that is pretty much identical to the GDPR. However, this also means that Brexit affects companies that are active in the UK in more areas than just international transfers and data breaches. For example, companies with establishments in the EU may now be required to appoint a UK representative for their UK processing activities. In the same vein, companies established only in the UK may be required to appoint an EU representative. Companies that do not have an EU or UK presence may be required to appoint a representative both for the UK and for the EU (and these cannot be the same persons or entities).
So while a lot of the compliance efforts undertaken for the GDPR can be leveraged for the UK GDPR, companies should consider reviewing their existing procedures to account for the fact that the UK is now a third country with its own data protection laws and requirements.
Visit our Privacy + Data Security page for additional information from our privacy library and resource centers on cybersecurity, state privacy laws, and the GDPR.