What happens to your data flow in the event of a no deal Brexit?
There’s a lot of speculation at the moment about the possibility of a no deal Brexit on 31 October. This could have significant implications for any organisation that relies on the sharing of data between EU member states and, these days, that means most organisations. The free flowing of employees’, suppliers’ and customers’ data between the UK and other EU member states is essential for the smooth running of supply chains for all kinds of businesses.
All the while the UK remains an EU member state, personal data can flow without restriction. In the event that we leave the EU with a deal then there will be no immediate change to this situation. Personal data will continue to flow freely during the transition period until 2020 at which point a longer-term solution will hopefully be put in place. The UK is committed to the standards of data protection laid out in the GDPR, the government has incorporated the GDPR into UK law through the Data Protection Act 2018, so whatever happens you need to ensure that you’re compliant with GDPR even if you only handle data belonging to UK citizens.
Does your data flow from the EEA into the UK?
However, in the event of a no deal Brexit things will be more complicated. Both the Information Commissioner and the UK government have made it clear that the intention is to enable data flow from the UK to the EEA without any additional measures being needed. But the transfer of data from the EEA into the UK will be affected. So, the first thing you need to do is to map how personal data flows to establish where the data for which you’re responsible is going. If you have personal data flowing from the EEA back into the UK then you should think about putting plans in place for how you’ll manage a no deal Brexit.
In the event of a no deal Brexit the UK is then treated as a ‘third country’. That means that transferring data from the EEA to the UK will require the UK to be added to the so-called ‘adequacy list’ or other appropriate safeguards to be put in place. The adequacy list is a list of non-EU countries who are deemed to have data protection measures in place that are equivalent to European standards such as GDPR. Data can flow smoothly between EU countries and countries on the adequacy list.
What happens before ‘adequacy’ is established?
The intention of the EU and UK is that the UK will be added to the adequacy list at some point, but this is not going to be a quick process. Indeed, the process cannot even begin until the UK has actually left the EU and the negotiation of adequacy agreements typically takes many months. So, what will happen in the interim?
Until the UK is added to the adequacy list, businesses will need specific legal transfer arrangements to be in place before personal data can be transferred from the EEA to the UK. There are several different mechanisms for legitimising the transfer of personal data such as standard contractual clauses or binding corporate rules. The ICO has produced an online tool designed to help organisations to put contract terms in place to provide the lawful basis for data transfers.
The ICO will no longer be an EU authority
After Brexit the ICO will no longer be an EU authority so you may need to deal with the ICO and also with the European supervisory authorities in each of the EEA and EU states where you’re active. This applies if you have branches, offices or other establishments in the EEA and if you’re only based in the UK but are offering goods or services to consumers in the EEA or monitoring individuals’ behaviour. In these circumstances you’ll need to appoint a suitable representative in the EEA who will act as your local representative when dealing with individuals and data protection authorities in the EEA. This cannot be the same person as your DPO. There are some exemptions to this rule, for example for public authorities or for organisations whose processing is only occasions and deemed to be low risk. There’s more guidance on this on the ICO website.
In the event of a data breach you would need to notify both the ICO and the relevant EEA authority and there’s a risk of potentially being fined twice by both organisations. For this reason we strongly recommend that organisations make sure they are GDPR compliant and that their policies and procedures are as robust as they can be in advance of the UK’s exit from the EU. Talk to us today about how we can help you with this.