The effect of a no-deal Brexit on data transfers
Following its exit from the European Union on 31 January 2020, the UK is now in a transitional period during which it had hoped to negotiate a new agreement with the EU to govern their future relationship. This transitional period is rapidly coming to an end and, at present, no agreement has been reached. The more time ticks by, the more it seems highly likely the UK will exit the EU without a withdrawal agreement and without any distinct framework to govern our future relationship with the EU. If your business is currently wrestling with the challenges involved in preparing for a no-deal Brexit, we hope this article will assist in summarising the future position in relation to data transfers and how you can best prepare.
Does this affect your business?
Your business will be affected by the change where it operates in both the EU and UK, and your business model is built on routinely transferring data between each entity.
What is changing?
Currently, as part of being in the EU, the law around personal data and the transfer of personal data is governed by the General Data Protection Regulation (‘GDPR’). The GDPR permits businesses in the UK to transfer data freely between EU Member states and back again. Whilst much of the GDPR will be retained in the UK post-Brexit, the impact of us leaving the EU is that the UK will be categorised as a ‘third country’ by the EU. The GDPR imposes restrictions on the transfer of personal data to a ‘third country’ and therefore, data will no longer be able to be freely transferred in the way it is currently.
Whilst the UK Government has stipulated that it does not intend to apply such restrictions on the transfer of personal data from the UK to the EU, the EU have not been so accommodating and have not granted a similar condition in respect of data transfers from the EU to the UK. What we do know is that the transfer of personal data from the EU to the UK will be allowed where it is covered by:
- An adequacy decision
- An appropriate safeguard
- An exception
The UK is still hoping to agree an adequacy decision with the EU which would eradicate the need for businesses to implement other specific safeguards when transferring data between the EU and the UK. Any adequacy decision is unlikely to be reached swiftly and therefore it is advisable for businesses who operate in both the UK and EU to implement specific safeguards when dealing with the transfer of personal data.
What you need to do
If your business will be affected by this change, you may want to consider implementing one of the following safeguards to ensure any date transfer remains lawful:
- You should review your current contracts. The EU have approved the adoption of Standard Contractual Clauses to safeguard the transfer of personal data to third countries. Businesses should seek to include these terms within their contracts..
- If your business operates as a group of companies, it is advisable to have an overarching agreement between the companies containing binding corporate rules. These binding corporate rules will need to be updated to recognise the post-Brexit position.
- You should update any internal documents for recording data processing activities. This will include updating your Privacy Notices and Data Protection Impact Assessments.
- If you will continue to carry out cross-border processing post Brexit, and your current lead authority is the Information Commissioner’s Office (‘ICO’), you should consider which other EU supervisory authority will become the lead authority at the end of the transition period (if any).
Where you do not have any EU offices, branches or other establishments, but you still process data in the EU, for example by offering goods and services in the EU, you will need to appoint a representative in the EU who will be responsible for your EU GDPR compliance.
If you have any questions about the content of this article, the Commercial & IP Team at Coffin Mew would be happy to help so please do get in touch.Tags: Brexit, data transfer