Brexit No-Deal - How to prepare and what does it mean for UK organisations?
Processing and storing individuals' personal data is an issue all organisations face with Brexit rapidly approaching. The concerns of the business community increase if a no-deal Brexit was to take place. However, in the event of a no-deal Brexit, the legal framework governing the transfer of individuals' personal data from EU to the UK would change on exit.
How can we prepare?
- The first thing to do is to take stock. Understand your international flows of personal data, so that you know if any of your transfers are or will become restricted transfers under UK or EU data protection law on exit date. While all transfers have to be considered, you may want to prioritise transfers of large volumes of data, transfers of special category data or criminal convictions and offences data, and your business critical transfers.
- Consider how you may continue to make and receive those transfers lawfully after exit date, and without an adequacy decision by the European Commission in relation to the UK. Key transfers to consider will be from the EEA to the UK.
- Often a relatively simple way to provide an appropriate safeguard for a restricted transfer is to enter into standard contractual clauses between the sender and receiver of personal data.
Use the ICO's interactive tool to help you decide: Do I need to use standard contractual clauses for transfers from the EEA to the UK?. There are also template contracts which you can use:
- Multinational corporate groups should also consider their use of existing EEA approved binding corporate rules to make transfers into and out of the UK. These will need updating to reflect that, under the EU GDPR, the UK becomes a third country on exit date.
- If as a result of exit you will be making transfers of personal data from the UK that will become restricted transfers (eg transfers between the UK and the EEA which were previously permitted as transfers between EU Member States), you should also update your documentation and privacy notice to expressly cover those transfers.
- If you are receiving personal data from a country, territory or sector covered by a European Commission adequacy decision, the sender of the data will need to consider how to comply with its local laws on international transfers.
You are making a restricted transfer outwards from the UK if:
- the UK version of the GDPR applies to the processing of the personal data you are transferring;
- the UK GDPR does not apply to the importer of the data, usually because they are located in a country outside the UK (which may be in the EU, the EEA or elsewhere); and
- you, the sender of the personal data, and the receiver of the data are separate organisations (even if you are both companies within the same group).
The UK is England, Scotland, Wales, and Northern Ireland. It does not include Crown dependencies or United Kingdom overseas territories, including Gibraltar.
The UK government has stated that, on the UK’s exit from the EU, transfers of data from the UK to the EEA will be permitted. It says it will keep this under review.
The UK government will allow transfers to Gibraltar to continue.
If your restricted transfer is not to the EEA, then you should already have considered how to comply with the GDPR. You will continue to be able to rely on the same mechanisms.
The EU GDPR will continue to apply to an EEA sender of personal data. To help you understand the obligations on the EEA sender of the personal data to you in the UK and you should bear in mind that on exit date the UK will be a third country outside the EEA.
The European Data Protection Board (EDPB) are still finalising detailed guidance on this area and be advised to take a broad interpretation of a restricted transfer, which is that you are receiving a restricted transfer if you are a controller or processor located in the UK and an EEA located controller or processor sends you personal data.
Under the GDPR, an EEA controller or processor will be able to make a restricted transfer of personal data to the UK if any of the following apply:
- The EEA controller or processor will be able to make a restricted transfer to the UK if it is covered by an adequacy decision by the European Commission.
- At exit date there may not be an adequacy decision by the European Commission regarding the UK. The ICO will keep us updated as to any plans by the UK Government and European Commission regarding an adequacy decision.
- If there is no European Commission adequacy decision in respect of the UK, but the EEA sender has put in place one of the EU GDPR list of appropriate safeguards, the EEA sender will be able to make the transfer to you.
- For most businesses a convenient appropriate safeguard is standard contractual clauses. There is an interactive tool to help you decide: Do I need to use standard contractual clauses for transfers from the EEA to the UK?. Also template contracts available:
- For restricted transfers from an EEA public body to a UK public body, where one of the parties is unable to enter into a contract, an appropriate safeguard may be provisions inserted into an administrative arrangement between these bodies. This will need to be authorised by the data protection supervisory authority with oversight of the EEA public body.
For further information contact one of our GDPR qualified experts today. firstname.lastname@example.org