One headache that organisations can avoid if there is a "No Deal" Brexit is whether data will still flow globally around their organisation. We set out what organisations need to do with their international data flows to make sure they are prepared if there is no deal.
Last month, the ICO and the UK government each published guidance on the data protection implications in the event of a "No Deal" Brexit. We have summarised the key points in this article.
What data protection law will apply after Brexit?
There will be no substantive changes to the data protection laws in the UK as the government has already incorporated the General Data Protection Regulation ("GDPR") into law through the Data Protection Act 2018.
How will international transfer of personal data be affected by Brexit?
We have summarised the position for each international transfer of personal data:
|No additional measures required, UK recognises all EEA states as "adequate"
|"Adequate" non-EEA country
|No additional measures required, UK will follow adequacy rulings by the EU on a transitional basis
|Existing rules apply (i.e. appropriate safeguard required) Standard contractual clauses can continue to be used or binding corporate rules or Privacy Shield
|No specific guidance on any requirements other than the law as it stands, meaning controllers based in the EEA would need to put in place one of the appropriate safeguards, i.e. standard contractual clauses
Full ICO guidance
Full UK government guidance
What can organisations do in the meantime?
The ICO has published a "Six Steps to Take" guide. The key points include:
- Continue to comply- Continue to comply with the GDPR and follow the ICO's guidance.
- Transfers to the UK- Review current data flows and identify data flowing into UK from the EEA. Then consider what GDPR safeguards (e.g. standard contractual clauses) can be put in place.
- Transfers from the UK- Review current data flows and identify data flowing from the UK to any country outside the UK.
- European operations- If you operate across Europe, review your structure, processing operations and data flows to review the applicable data protection regimes.
- Documentation- Review privacy information and data protection documentation to identify areas that require updating.
- Organisational awareness- Make sure that the key people in your organisation are aware of these key issues and include these steps in any Brexit planning.
What if Brexit happened tomorrow?
The guidance from the ICO and the UK government provide useful clarification on the impact of a "No Deal" Brexit. A further source of comfort would be confirmation from the EU on the continuation of the free flow of personal data from the EEA to the UK, e.g. if the EU made a finding of adequacy for the UK. Of course, this is not for the UK to decide and we await further development on this.
Since the UK has incorporated the GDPR into UK law, one may be inclined to think that the UK is ready-made for an adequacy decision and should be given this status promptly following Brexit. Unfortunately, the adequacy decision applies only to non-EEA countries and the process cannot commence until the UK leaves the EU (29 March 2019). Furthermore, there is no telling as to how long (or short) the adequacy decision will take to be approved.
If Brexit were to happen tomorrow, then the UK will be subject to the same restrictions on international transfers of personal data provided in the GDPR that apply to a non-EEA country i.e. in order to send personal data from the EEA to the UK, the standard contractual clauses can be put in place, with the EEA organisation sending the personal data being "data exporter" and the UK organisation receiving the personal data being "data importer". Companies should review their data flows, using the data maps produced as part of GDPR compliance programmes, to identify where data flows from Europe to the UK and put appropriate measures in place.