The Information Commissioner’s Office has recently reiterated its message to businesses to “prepare for all scenarios” in light of the possibility that the UK leaves the European Union with no deal.
Personal information has been able to flow freely between organisations in the UK and EEA without any specific measures due to the fact that there is a common set of rules for processing data under the EU General Data Protection Regulation. This two-way free flow of personal information will no longer be the case if the UK leaves the EU without any additional agreement that specifically provides for the continued flow of personal data.
Regardless of Brexit, businesses will need to consider if they are currently transferring personal data to countries outside the EU, but Brexit brings in the additional complication that once the UK leaves Europe, additional measures will be needed to assure data transfers into the UK.
Does this apply to us?
Any UK business who operates within the EEA and sends personal data outside the UK or receives personal data from a country within the EEA will be affected. In addition, it will also affect businesses operating outside the UK if they are offering goods or services to individuals in the UK or monitoring the behaviour of individuals within the UK (with the exception of organisations that only transfer personal data from or to consumers).
What does this mean in practice?
After Brexit, the UK Government intends to allow data to flow from the UK to EU countries. However, transfers of personal data from the EEA to the UK will be affected. Moving forward, any transfers of personal data from an EU country into the UK or from the UK/EU to a “third country” e.g. one outside of the EU will need an additional safeguard implemented around this transfer.
The GDPR details a a number of possible safeguards that would provide adequate assurances around data transfers, although some of these such as Codes of Conduct and Certification Mechanisms are still under development. The main methods of assurance currently available to organisations are:
- Adequacy Decision
- Binding Corporate Rules
- Standard Data Protection Clauses / Contractual Clauses Adopted by the ICO
- Enforceable Instrument / Administrative Agreement between public bodies