What could a No-Deal Brexit mean for GDPR?
For many businesses in the UK, the free flow of data from the EU is a vital cog in the wheel. While the terms of Brexit remain uncertain, the smooth running of business and ability to plan ahead doesn’t have to be.
Sending Personal Data from the UK to the EEA
Sending data from the UK into the EEA, thankfully, will remain unchanged and so businesses who are sending their data to the EEA can relax (a little).
Sending Personal Data from the EEA to the UK
If the UK leaves the EU without a deal, there is the potential for businesses to be blocked from receiving data from EEA sources. This is because the EU has to confirm that the UK has the safeguards and regulation in place in order to protect EU citizens’ data.
Given that the British government, at least for the interim, intends to write EU Regulation GDPR into UK Law after Brexit (and will be non-confusingly known as the “UK GDPR”), it is very likely that the EU will at some point confirm that the UK has the adequate safeguards in place. However, and due to the somewhat frosty relationship between the UK and EU, this may take some time.
For the immediate future, the Information Commissioner’s Office (“ICO”) have issued standard contractual clauses which UK businesses should be sending to their EU data suppliers before 31 October 2019. These clauses are currently the only ICO recommended way of protecting the ability for a UK business to receive data from within the EEA. Whatever the outcome of Brexit, it undoubtedly will take some time before the issues around the flow and sharing of data from the EEA to the UK become clear. In the event of a no deal departure, ICO has issued guidance to those businesses to help them prepare.
See the full guidance here
And the US?
However, the guidance doesn’t cover the flow of data from the UK to the US and this will need to be given further consideration. This can be often overlooked. Where a business uses cloud services, and those cloud services uses back-up servers that are located in the US, data protection issues will need to be considered.
At present, the privacy shield between the US and the EU is in operation – the framework that protects the fundamental rights of anyone in the EU whose personal data is transferred to the US for commercial purposes – but it will no longer apply to the UK under a no deal.
Act before 31 October!
In a time of uncertainty for us all, it’s difficult to give confident advice on best and most commercial way forward. However, the ICO have stepped up and provided very good guidance and advice which should be thought about no matter how big or small your business. Non-compliance fines and enforcement proceedings are not just reserved to the big players.
Data is now one of the most lucrative assets a business can hold and non-compliance with GDPR could be an expensive corporate mistake. The question is, will the drafting of contracts and time spent safeguarding against a no deal Brexit be time well spent, or will a deal be made before 31 October 2019 in relation to data? It might seem like a backburner issue in light of all the changes the UK may be facing, but, as in all matters of compliance, our advice is: Don’t leave it too late.