ICO Publishes Guidelines for Data Protection in the Scenario of a No Brexit Deal
TOPICS: Data Protection, Data Transfer, Brexit, GDPR, ICO, UK, Europe
ICO") issued its Guidance to help businesses prepare for data protection compliance in case
based businesses to keep personal data from the European Economic Area ("EEA") flowing after Brexit.
In its Guidance, the ICO clarifies that even if the UK leaves the European Union without a deal, most data protection rules and regulations will stay the same, as the UK will stay committed to maintain the same standards of the General Data Protection Regulation ("GDPR"), which will be incorporated, with some changes, into UK law after Brexit. Hence, the effect of Brexit to small to medium businesses, in terms of data protection, will be small.
However, there will be some implications for transferring personal data between the UK and the EEA:
UK based businesses that do not collect data on EEA customers Will not have to take any significant steps as long as they are compliant with the GDPR. The UK is committed to maintain the high standards of the GDPR and is planning to incorporate it into UK legislation. Such businesses will have to stay updated in case minor changes are required after the Brexit.
UK based businesses that receive personal data from contacts in the EEA Will have to take steps to stay compliant and ensure that data from the EEA can continue flowing to the UK. According to the ICO, the UK government is committed not to restrict data transfers to the EEA. In cases where a business is receiving personal data from an organization within the EEA, then it will need to comply with EU data protection laws. In order to keep data flowing to the UK, the ICO recommends implementing the Standard Contractual Clauses, published by the European Commission, since the UK will no longer be considered a member state.
UK based businesses that have presence in the EEA or European customers Will have to be compliant with both GDPR and UK data protection laws after Brexit. If a business has a branch or an office in the EEA, its European activities will still be fully covered by the GDPR and be subject to the relevant Lead Supervisory Authority. Businesses which only have European customers, or which monitor the behavior of individuals in the EEA, may need to designate a data protection representative in the EEA.
UK based businesses who share data with countries outside Europe Will not have to take any significant steps at this point in time, since the rules for sharing data with countries outside the EEA will remain similar. Businesses will be able to make data transfers outside of the UK if the country of destination is covered by the new UK adequacy regulation. The UK government intends to recognize the EU security adequacy decision made by the European Commission before the exit date. The EU-US Privacy Shield will still apply, as long as the organization participating in the Privacy Shield updates its public commitment and also expressly applies it to the UK.
On the same topic, earlier this year we reported that the UK government has published the Data Protection, Privacy and Electronic Communication Regulations 2019 in order to ensure that the data protection regime will function smoothly upon Brexit.
We would be happy to provide further guidance if you have any questions on how Brexit might affect your business.
This update was published as part of our Technology & Regulation monthly client update. To read more about HFN's Technology & Regulation Department, click here.