Brexit may impact transfer of data between EU and UK, says ICO
14 December 2018
The Information Commissioner has warned that a possible no-deal Brexit may affect data transfers between organisations in the UK and European Union but will certainly affect transfers of personal information from the EEA to the UK.
Addressing small businesses in the UK who are doing business and sharing data with organisations based in Europe, Elizabeth Denham, the Information Commissioner, recently stated in a blog post that businesses must prepare for a challenging post-Brexit environment even though the GDPR will be absorbed into UK law following the separation.
She added that data flow between the UK and European nations will continue as hitherto only if the government enters into a withdrawal agreement with EU to provide legal sanction to the movement of data across borders.
Businesses must take steps to prepare for post-Brexit regulations
Even if such a withdrawal agreement is brought into fruition, the transfer of personal data from the EEA to the UK “will be affected” and organisations will need to “carefully consider alternative transfer mechanisms to maintain data flows,” she said.
“The Government has also made clear its intention to seek adequacy decisions for the UK. An adequacy agreement would recognise the UK’s data protection regime as essentially equivalent to those in the EU. It would allow data flows from the EEA and avoid the need for organisations to adopt any specific measures. But any such adequacy decisions will not be in place before the UK leaves the EU (and will take time to conclude). However, organisations need to consider their circumstances and what transfer mechanisms are appropriate,” Denham added.
According to ICO, organisations, especially small businesses, need to take six essential steps to ensure the free movement of personal data from EU to the UK post-Brexit. These include reviewing data flows, identifying where data is received into the UK from the EEA, putting in place GDPR safeguards, reviewing privacy information and internal documentation to identify any details that need to be updated in the aftermath of Brexit, and spreading awareness among employees about the latest information and guidance.
“If you receive data from organisations in the EEA, the sender will need to comply with the transfer provisions of the EU regime. This means the sender needs to make sure there are adequate safeguards in place, or one of the exceptions listed in the GDPR applies.
“If the EU makes a formal adequacy decision that the UK regime offers an adequate level of protection, there will be no need for specific safeguards. However, on exit date there may not be such a decision in place. So you should plan to implement adequate safeguards,” the ICO added.
Firms must stay prepared for the worst
Last month, Duncan Brown, Forcepoint’s Chief Security Strategist in EMEA, said that the UK would be treated like any other “third country” as per GDPR and that EU firms will not be able to move any data to firms located in the UK unless there are legal safeguards in place.
“Data received from the EU must comply with GDPR and it is illegal for an EU 27 firm to export data to a so-called “third country” without specific legal safeguards in place. Since post-Brexit UK will be a third country, UK companies will be subject to these safeguards,” Brown said.
According to Brown, one way to ensure unrestricted flow of data is to enter into a bilateral agreement with the EU similar to the EU-US Privacy Shield. The Privacy Shield was designed to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce.
If the UK and EU 27 countries fail to agree to such a bilateral contract, then the UK will have to prove its adequacy based on its data protection credentials but the same could be delayed or complicated because of its “approach to citizen surveillance (via the Investigatory Powers Act 2016) and its intention to withdraw from the EU Charter of Fundamental Rights.”
“Our view is that companies should assume that GDPR, as implemented in the UK DPA, will persist for the foreseeable future, post-Brexit. Day-to-day compliance requirements will not change (much, or at all). However, for those companies engaged in receiving data transfers from the EU, additional focus must be given to the legal safeguards required.
“Companies may take a wait-and-see approach, but may wish to familiarise themselves with – at least — Standard Model Contract Clauses. Should a no-deal Brexit result occur, such firms would not be able to receive EU data transfers without a legal safeguard measure in place,” Brown added.