The Information Commissioner’s Office (ICO) and the UK Department for Culture, Media and Sport (DCMS) have each issued no-deal Brexit data protection guidance.
EU/UK personal data transfers
The UK government has committed to incorporating the General Data Protection Regulation (GDPR) into domestic UK law when the UK leaves the EU. This means there will not be any substantive changes to the data protection rules that companies in the UK must follow.
However, companies that transfer personal data between the UK and the European Economic Area (EEA), and vice versa, will be affected.
Elizabeth Denham, the UK Information Commissioner, recently published a blog post about the transfer of personal data from the EEA to the UK. The current free flow of personal data from the EEA to the UK will no longer be possible. A withdrawal agreement must therefore specifically provide for the status quo to continue.
To help organisations prepare for a ‘no deal’ Brexit, the ICO has published a short guide for UK businesses: ‘Six Steps to Take’:
- Continue to comply with GDPR and follow ICO guidance.
- Transfers to the UK: Review data flows and identify where your organisation receives data into the UK from the EEA to ensure sufficient safeguards are in place to allow the continued flow of personal data.
- Transfers from the UK: Identify data flows to countries outside of the UK, as these will fall under new UK transfer and documentation provisions.
- European operations: For organisations that operate across Europe, data flows, processing operations and group structures should be reviewed to fully understand the effect of Brexit on operations.
- Documentation: Identify privacy documentation in the event it needs to be updated when the UK leaves the EU.
- Organisational awareness: Ensure key people in the organisation are aware of these key issues and that plans are up to date.
The DCMS emphasized that a Brexit ‘no deal’ outcome was ‘unlikely’. However, it has issued ‘no deal’ data protection guidance for UK businesses:
- The UK will transitionally recognise all EEA states, EU and EEA institutions, and Gibraltar as providing an adequate level of protection for UK personal data.
- If the EU has made an adequacy decision for a non-EU country, the UK government will preserve such decisions on a transitional basis. This will mean that transfers from UK organisations to these countries can continue uninterrupted.
- Provision will be made so that the use of Standard Contractual Clauses can continue to be used to export personal data from the UK.
- Controllers of personal data located outside of the UK will be required to appoint a UK representative. This requirement will only apply to companies that sell into the UK or monitor the behaviour of UK residents. This obligation will mirror GDPR Article 27.
Both the ICO’s and DCMS’s guidance provides useful assistance to UK businesses which process personal data. However, both sets of guidance are focused on the short term, immediate impacts of a ‘no deal’ Brexit.
The big unknown is how, or if, personal data can continue to be transferred unimpeded from the EEA to the UK. Of particular importance to UK businesses is whether or not the European Commission will judge the UK to be an ‘adequate’ third country. This would allow the continued free flow of personal data from the EEA to the UK.
All eyes remain on Westminster and Brussels to see how Brexit will unfold.