No-deal Brexit and data protection
On 14 February, the Government issued new guidance on a no-deal Brexit for the professional and business services sector.
- Your employees
- Protecting personal data (see below)
- Cross-border business operations
The guidance is available here.
In the event that the UK leaves the EU on 29 March 2019 without a deal, UK businesses will need to ensure they continue to be compliant with data protection law.
The General Data Protection Regulation (GDPR) will be brought into UK law, meaning that current GDPR standards and existing guidance will continue to apply to businesses operating within the UK.
The GDPR contains additional rules to protect data that is transferred outside the EEA (known as restricted transfers). From 29 March 2019, if there is ‘no deal’, these rules will apply to data transferred from the EEA to the UK.
The rules on transferring data to a non-EEA state are simpler if the European Commission has decided that data is adequately protected in that state. If the UK exits without a deal on 29 March 2019, we do not expect the European Commission to issue an adequacy decision in time. This means that UK businesses must act now to comply with the GDPR rules on international transfers if they are transferring personal data across borders.
The UK does not intend to impose additional requirements on transfers of personal data from the UK to the EEA, therefore, businesses will be able to send data to the EEA as they do currently. However, businesses will need to update their documentation and privacy notices as appropriate.
What do businesses need to do to prepare?
As a priority, UK businesses need to review their international data flows to identify any personal data they receive from the EEA. For example, an international transfer of personal data could be: where UK companies use centralised or outsourced HR services in the EEA to process employee and payroll details; or receiving customer information from the EEA, such as names and addresses, in order to provide goods or services.
UK businesses, with their EEA partners, need to consider what GDPR safeguards they can put in place to ensure that personal data can continue to flow from the EEA to the UK once we have left the EU.
The GDPR sets out a range of different options that allow organisations to make restricted transfers, including appropriate safeguards. Further information can be found in the links below.
- One appropriate safeguard that can be used by many businesses are standard contractual clauses (SCCs). These are pre-approved by the European Commission and can be inserted into contracts to provide a legal basis for transferring personal data from the EEA to the UK. The ICO has produced an interactive tool to help businesses understand and complete SCCs for their personal data transfers from European partners.
- Businesses that are part of a multinational group may be able to rely on binding corporate rules (BCRs), for intra-group transfers as an appropriate safeguard.
- In specific situations transfers are permitted without additional safeguards where one of the exceptions apply as found under Article 49 of the GDPR.
What resources are available?
Information Commissioner’s Office:
- Guidance and resources to prepare for EU-exit
- Leaving the EU – six steps to take
- Detailed guidance on data protection if there is ‘no deal’
HM GOV information on ‘No Deal’ EU Exit:
The government, and the Information Commissioner, will continue to provide guidance and information to businesses and other organisations to help them understand how they will need to operate under a range of outcomes on data protection, and plan appropriately.
Data protection questions to consider
- How aware is your organisation of the implications of a potential no-deal Brexit?
- In particular, has data protection been considered in relation to no-deal planning?
- What are the most common concerns, if any, about data protection under a no-deal Brexit?
- Are you looking at the risks and options regarding data protection in the case of a no-deal brexit?
- How challenged was your organisation by GDPR compliance?
Transfers and data processing
- How dependent is your business on personal data transfers to/from the EEA?
- Can you estimate, as a percentage, how dependent your business is on data transfers?
- Are you aware of any discussions being had around additional measures organisations are adopting to guard against any negative impact on data protection compliance of a no-deal Brexit?