Data and a no-deal Brexit

Modern business thrives on data. Last year saw a seismic shift in personal data protection rules with the introduction of the General Data Protection Regulation (GDPR), which continued to permit the free transfer of personal data around the EU.

A No Deal Brexit will have the consequence that the UK becomes a “third country” and no longer sits within the EU GDPR regime. However, businesses that hold the data of EU citizens in the UK will still need to comply with the GDPR and EU businesses that hold the data of individuals in the UK will need to comply with the UK’s GDPR regime.

Data Transfer EEA to UK

The immediate problem posed by a No Deal Brexit will be that personal data can only be sent outside the EU where there is an “Adequacy Decision” from the European Commission or certain other steps are taken (see below).

 Currently it seems that there is little appetite within the Commission to have any short-term Adequacy Decision.  Should that position be maintained then the only basis upon which data could be transferred to the UK from the EU would be to use one of the following mechanisms:

1. Standard Contractual Clauses
2. Binding Corporate Rules
3. Approved certification mechanisms and codes of conduct.

There will also be a power to transfer data where there is explicit consent; where it is necessary for the performance of a contract or in the exercise of legal claims.

With no prospect of the Commission making an Adequacy Decision in the immediate aftermath of the UK’s exit, organisations should consider now which of the above mechanisms will provide them with the ability to transfer personal data after 29 March 2019. Each organisation will need to consider the best method for it and remember that it is not just a paper exercise they are undertaking but one which they need to live out in practice and which will be policed by data protection authorities.

It is likely most will choose the Standard Contractual clauses route. Indeed Ireland’s Data Protection Commission has just issue a warning to this effect.

Data Transfer UK to EEA

UK legislation in place to facilitate Brexit will allow the continued transfer of data to EEA countries and those with an Adequacy Decision issued by the EU Commission before 29 March 2019. The reality of a No Deal Brexit on data transfer from the UK to the EEA should, therefore be minimal.

Other Impacts 

Currently organisations that operate in a number of EU countries may have their Lead Supervisory Authority (LSA) in the UK, i.e. the Information Commissioner’s Office. Those that do will have to consider whether they can and should designate an LSA in an EU  members state.

Where a company has its LSA outside the UK that can continue but where the company has operations in the UK it will need to deal with the ICO in relation to the UK.

Privacy Notices, which were drafted less than 12 months ago will also need to be revisited, in the light of the UK’s departure from the EU, as without a deal on Brexit, the UK will become a third country.

Companies need to consider what they want to do. They can analyse now how their data flows and which countries it flows through. Once they understand the position, they might decide to do nothing in the hope there is a deal.  That might leave them in a position where they are able to do relatively little once we know whether there will or will not be a deal. Some may decide to go further and put in place a mechanism to allow data to continue to flow, in the event that there is No Deal. This will involve not only a paper exercise but the taking of pro-active steps to ensure compliance following Brexit. This will be the best and most effective strategy. Data will not stop flowing on 29 March, what will change is the risk posed by that data. Those businesses may, therefore, carry out work which is unnecessary but will have the comfort of knowing that whatever happens, they will be compliant.