With so much political uncertainty surrounding Brexit and what it might mean for the UK, businesses can be forgiven for assuming that they can do little to plan for it. However, in terms of data protection, there are a few important steps that a business can take to prepare. One of the most important of these steps relates to ensuring that cross-border transfers of personal data can continue in the event of a no-deal Brexit.
International Data Transfers
Transfers from the EEA to the UK
Irrespective of whether there is a no-deal Brexit or not, the GDPR will continue to apply in the UK in conjunction with, and subject to, the Data Protection Act 2018. However, this does not mean that nothing will change in relation to transfers of personal data from the EEA. This is because, unless a withdrawal agreement mandates otherwise (which, at least in the short term, seems unlikely), the UK post-Brexit will be considered a ‘third country.’
The result of the UK being a “third country” is that the GDPR’s general prohibition on the transfer of personal data from any country in the European Economic Area (“EEA”) will apply. As such, companies will need to rely on a GDPR compliant lawful transfer mechanism (e.g. the Standard Contractual Clauses) in order to permit the transfer of personal data from the EEA to the UK.
Transfers to the EEA from the UK
The UK government has confirmed that the UK will continue to allow the free flow of personal data from the UK to the EEA in the event of a no-deal Brexit (meaning that no lawful transfer mechanism is required in relation to these data flows).
Transfers from the UK to non-EEA countries
With respect to data transfers from the UK to non-EEA countries, the same law will continue to restrict those data transfers as is currently the case. So, in other words, the European Commission’s adequacy decisions will continue to apply and, with respect to non-adequate countries, companies will still need to rely on a valid lawful transfer mechanism to transfer personal data to those countries.
What to do now?
In the short term, no additional steps are required for data transfers from the UK. However, businesses should review this position carefully as the UK and EU data protection regimes may diverge post-Brexit. For example, there is no guidance on the approach the UK government will take if and when the European Commission grants further adequacy decisions, e.g. will the UK government automatically deem that country adequate or will it mandate that additional hurdles must also be met?
With regards to data transfers from the EEA to the UK, all UK businesses should consider if they are receiving personal data from organisations based in the EEA. For example, if UK companies acquire marketing lists from EU based organisations to assist them with promoting any of their products then they will need to ensure that this information is transferred to the UK lawfully. Whilst, pre-Brexit, it may not be proportionate to amend all existing contracts with EU based organisations, we would recommend that all businesses identify those data flows that are material to its operations (or include valuable or sensitive personal data) and ensure a lawful transfer mechanism is put in place for those data flows before the UK leaves the EU. The Information Commissioner’s Office has stressed that no business should presume that free flows of personal data from the EEA are guaranteed and so all businesses should plan accordingly.