Given the uncertainty around both the timing and form of Brexit, organisations whose businesses rely on cross-border transfers are understandably concerned that a no-deal or “hard” Brexit will impede processing overnight. Therefore there has been a wave of guidance issued by various data protection regulators and bodies and we have rounded these up below:
Irish Data Protection Commissioner releases guidance on personal data transfers from Ireland to UK in event of no deal Brexit
In the lead up to Brexit, many organisations have set up Irish entities and this will have prompted the publication of this guidance which focusses on implementing standard contractual clauses to safeguard data transfers from Ireland to the UK.
The guidance can be accessed here.
European Data Protection Board (“EDPB”) information note on data transfers in event of no-deal Brexit
This is a helpful note explaining the mechanisms available to UK businesses transferring or receiving personal data in the event of a no-deal Brexit. The note recognises that the most commonly used mechanism will be standard contractual clauses and where additional clauses are agreed to, they must not dilute or in any way reduce the level of protection afforded to individuals via the standard contractual clauses.
Binding corporate rules will also be useful for large organisations with entities outside the UK. If your organisation already has binding corporate rules in place these can be used in the event of a no-deal Brexit but it is highly advisable that these are reviewed for GDPR compliance. For organisations that wish to obtain new binding corporate rules, this will involve approval by your lead supervisory authority (this is addressed by another EDPB note as below).
The information note can be accessed here.
EDPB information note on binding corporate rules for companies where ICO is lead supervisory authority (“LSA”)
In the event of a no-deal Brexit, the ICO will no longer be the LSA and businesses wishing to apply for new binding corporate rules will need to identify the most appropriate LSA in an EU Member State.
For organisations who have submitted applications which are at the ICO review stage will need to also need to identify the most appropriate LSA in an EU Member State and that LSA will take over the application.
Where the ICO has a draft decision approving binding corporate rules and is awaiting final approval from the EDPB, those organisations must advise the EDPB of their new LSA and re-submit a draft for approval.
The note can be accessed here.
NHS release guidance on sharing of personal data in event of no deal Brexit
All NHS organisations should consult the notes and guidance above and should have completed their annual Data Security and Protection Toolkit assessment, the deadline for which was the end of March 2019. This will allow health and adult social care providers to quickly identify and address any vulnerabilities. It also provides email addresses for points of contact if any issues arise in respect of data flows, databases or data stored in the EEA.
The guidance can be accessed here.
French Data Protection Regulator CNIL publishes FAQs to prepare for no-deal Brexit
Government issues paper “Implications for Business and Trade of a no Deal Exit on 29 March 2019”
Some Member States are preparing for a no-deal Brexit by introducing ‘no-deal’ legislation to mitigate the risks of disruption to certain financial services provided by UK-based firms – however it is unclear how effective these pieces of legislation will be. The current trend for financial services firms based in the UK has been to set up new European entities as part of their no-deal planning. It has become apparent that there may be a gap in the lawful free flow of personal data following a no-deal exit. The EU have said that they would not begin to assess the UK’s data practices (with an aim of deeming them adequate) until the UK is a third country. In this instance, businesses will have to use the mechanisms that have been discussed above.
The government paper can be accessed here.
The ICO Brexit Blog – Myth Busting
The ICO’s latest blog post focuses on addressing some of the issues and concerns that businesses and organisations are having in the event of a no-deal Brexit. A lot of these points are misconceptions and the blog provides a useful analysis of what is the most likely eventuality. The ‘myths’ that are addressed include, total restriction from transferring personal data from the UK to the EU, the extent to which UK companies’ data transfers will be affected and the likelihood of an adequacy decision.
The ICO’s guidance page for Brexit (which includes this blog) can be found here.