With negotiations between the EU and the UK over our future trading relationship going to the wire, there is a very real possibility that no deal will be reached by 31 December.
With the government exhorting all organisations to prepare for that scenario, the focus of the Information Commissioner’s Office (ICO) remains the continued lawful transfer of personal data between the UK and Europe regardless of the outcome. If you transfer data from the UK and / or receive data from the EEA, this briefing note explains how such data transfers will be affected and what you need to do in order to remain compliant.
In the event of no-deal…
The Information Commissioner’s Office (ICO) has confirmed that data protection compliance should continue as usual, the key principles, rights and obligations will persist and organisations already complying with the GDPR should be in a good position to comply with the post-Brexit data protection regime which will be known as the UK GDPR (which combines the GDPR and the additional processing legislation brought about by the Data Protection Act 2018). The existing GDPR will become known as the EU GDPR.
If the UK leaves Europe without a deal in place, there are two aspects to be considered in the way in which personal data is transferred:
- from the UK; and
- to the UK from Europe.
Whether you are transferring personal data from the UK, or receiving data from a country within the EEA, existing law continues to apply. In other words, these personal data transfers will be lawful if they are covered by an adequacy decision, an appropriate safeguard, or an exception.
Personal data transfers from the UK to the EEA will continue to be permitted and so no further steps are necessary for UK organisations, although this is being kept under review. Transfers to non-EEA countries and those which for which a decision of adequacy has not been reached will be subject to the existing restrictions set out in the GDPR.
For now, there are no restrictions on personal data transfers from Europe to the UK. This could change if the UK leaves the EU without a deal in place as, under the legislation, the UK will be a third country and therefore will not automatically be considered to provide an adequate level of protection to personal data. Any transfer of personal data from a country within the EEA to a business in the UK will be therefore be deemed a restricted transfer and require additional safeguards to comply with the GDPR. This will apply regardless of whether the business transferring the data is a controller, a processor or a sub-processor, and applies to all organisations whether they are large multi-nationals, small or medium enterprises, or sole traders.
So, unless your organisation already has approved binding corporate rules and you only intend to transfer personal data within that group of companies, the most straightforward way to comply with the legislation when receiving personal data from a country subject to the GDPR, is to adopt the Standard Contractual Clauses.
What are the Standard Contractual Clauses (SCC)?
The SCC are sets of clauses for use by controllers of personal data when sending and/or receiving personal data to or from another controller or a processor under the GDPR. These clauses are European Commission approved and deemed to offer sufficient protection for data transfers to third countries. There are two sets of clauses, one is for use between two controllers of personal data, the other set is for use between a controller and a processor.
It is already the case that the SCC cannot apply to all processing situations and the UK faces another potential hurdle in the event of no-deal as, currently, there are no SCC for transfers from EU processors to UK controllers. On this point, there are other options that can be explored which, although technically incorrect, may demonstrate that contractual protections are in place in accordance with the ICO’s guidance.
However, the EU Commission has published a new set of SCC which incorporate processor to processor, and processor to controller, transfers which, if adopted by the EU and the UK, would provide a legitimate transfer mechanism for such processor-led transfers.
Steps to take now:
- Establish the effects of Brexit on your organisation – map your data flows - do you send and/or receive personal data from countries within the EEA?
- If so, consider updating your existing contracts to include the SCC which will enable the continued transfer of data to your organisation.
- Check with the organisation concerned, for example, it may be that where it stores data on your behalf, it may agree to locate such storage facilities within the UK.
- Should you currently transfer data from the UK to countries outside the EEA and you have no safeguards in place, consider adopting the SCC to transfer that personal data lawfully.
- Should you have offices or a presence within Europe, ensure that their processing activities continue to comply with local data protection law.
- Update your organisation’s privacy policy and any other relevant documents if required after Brexit.
