Businesses must plan for the lawful transfer of personal data to the United Kingdom post-Brexit. With nine out of 10 Irish business leaders considering data protection to be a major business issue, in this article we have briefly identified areas Brexit may impact Irish organisations’ international transfer of data.
In the absence of a UK-European Union withdrawal agreement providing for the continued flow of personal data (a no-deal Brexit scenario), businesses will need certain safeguards in place to underpin the lawful transfer of personal data from the European Economic Area (EEA) to the UK, including Northern Ireland, after 29 March 2019. This scenario would impact the transfer of personal data from the EU to the UK and organisations conducting business with the UK.
The free movement of personal data across the EU, including Ireland and the UK, is currently predicated by a common set of data protection rules, enshrined in the EU General Data Protection Regulation (GDPR). After 29 March 2019, the UK will be considered a “third country” outside the EEA (including the EU), similar to the way Ireland recognizes the United States. This means that additional safeguards will be required for EEA-UK transfers of personal data.
Argentina, Canada, Switzerland and a few other countries have been recognised as providing adequate protection, but there is little chance that the UK will have been deemed “adequate” by the European Commission by 30 March 2019. In fact, the European Commission has said that no determination will be “forthcoming in the immediate term.”
The UK’s Information Commissioners Office (ICO) has said that “an assessment of adequacy can only take place once the UK has left the EU. These assessments and negotiations have usually taken many months.”
If and when the Commission does determine that the UK ensures adequate levels of protection, and this is not guaranteed to happen, separate safeguards will not be required. In the interim, personal data transfers to the UK will require the implementation of legal safeguards by Irish-based organisations and bodies that are transferring personal data.
Examples of safeguards include:
- standard contractual clauses;
- ad-hoc contractual clauses;
- binding corporate rules (BCR);
- code of conduct; and
- certification mechanisms.
It should be noted that not all safeguards may immediately be available and/or may not be suitable for all types of businesses.
So what can businesses do? We suggest that organisations:
- check data flows to be aware of what personal data is being transferred to the UK, including Northern Ireland, from Ireland;
- implement safeguards to legally transfer data, such as inserting standard contractual clauses. etc. into all their affected contracts;
- notify customers, employees and suppliers that their data is being transferred to a third country; and