Post-Brexit Personal Data Breach Reporting – An End to the ICO’s Role as One-Stop-Shop Lead Supervisory Authority
Ffion Flockhart (UK) and Steven Hadwin (UK) write:
The end of the Brexit implementation period on 31 December 2020 has brought with it significant changes to the data protection landscape for UK-based businesses. Amid headlines about data transfer issues and a potential adequacy decision for the UK in the coming months, businesses also need to be aware of significant changes to the way in which cross-border personal data breaches with a UK angle will need to be notified to data protection authorities (DPAs) in future.
The GDPR established a “one-stop-shop” principle, allowing companies to notify cross-border personal data breaches to a lead supervisory authority (LSA) in the EU / EEA Member State of their main establishment. A significant advantage of this system is that businesses usually need only to deal with a single DPA in relation to any investigation of the breach and any enforcement arising from it. Before the end of the transition period, the UK ICO could serve as an LSA for companies that had their main establishment in the UK in the event of a cross-border breach – indeed many high-profile breaches that have been investigated by the ICO since the implementation of the GDPR have been cross-border in nature, and have involved the ICO acting as LSA.
However, while the GDPR itself has been enshrined into domestic UK law, the ICO’s status has now changed.
Read more on the Data Protection Report.