When Data Protection meets Brexit
You’d be hard pressed to decide which caused more of a furore in recent times, Brexit or GDPR! The good news is that there will be an almighty collision of the two if we have a ‘no deal Brexit’.
Just when you thought things had calmed down on the data protection front, if we exit Europe without a deal we will have to revisit what we are doing with personal data. In particular personal data that flows to or from the EU. The UK will in data protection terms be classified as a third country.
The Information Commissioner’s Office (the ICO) has been circulating information on the subject in recent weeks but the message may not be getting through.
According to the ICO : “At the moment personal data flow is unrestricted because the UK is an EU member state. But if the UK leaves the European Union with no deal, that will change, and additional measures will be needed to make sure your business complies with the law. It’s important you make sure your organisation is properly prepared for all exit scenarios, whether you’re a sole trader or small business or a large multi-national”.
So the ‘simple’ life of following GDPR and the Data Protection Act may now be over. If the UK is no longer part of the EU, and a deal is struck that does not include GDPR concessions, the UK will sit alongside the rest of the world in how it processes any personal data to or from the EU. Businesses in the UK will need to have contracts in place with an EEA-based sender to ensure that the data is secure.
There are EU approved terms, known as Standard Contractual Clauses (SCCs), that need to be included in contracts between controllers (controller to controller) and controller to processor transfer (where the UK based business is the data processor).
The ICO have put in place two interactive tools to aid businesses to assess whether they need to have the SCCs in place. There are separate tools depending on whether your business is a small organisation or a large one. The tools can be found by clicking here and here
Contracts will need to be reviewed to see if there are restrictions on transferring data outside the EU.
Businesses should also review the basis on which they process personal data. There is an informed school of thought that considers that any consent obtained while the UK was a member of the EU may no longer be valid if the UK leaves.
Privacy policies need to be reviewed so that individuals interacting with a business understand and are informed of the movements of their personal data in and outside the EU.
Need more information? Please contact Angela Kerry of our Commercial Law team.
Emms Gilmore Liberson can assist and advice you with the ever changing landscape of data protection law.