We’re now, once again, on the precipice Brexit, and as the deadline nears, you’ll see more stories appear about how EU-based organisations will be affected by the UK’s departure from the EU.
European organisations with ties to the UK are particularly concerned about the ramifications of the GDPR (General Data Protection Regulation). With the UK’s EU status up in the air, organisations must navigate their relationships carefully or face the prospect of strong penalties.
In this blog, we explain exactly what’s at stake and how you should prepare.
What you need to know about a no-deal Brexit
The crux of the matter is this: if the UK leaves the EU without a formal agreement, there will be no transition period before it becomes a ‘third country’. As a result, data transfers to and from the UK and EU will be subject to the new rules.
This is something we touched on recently, when discussing how a no-deal Brexit affects Ireland, but the details are largely applicable to data transfers between organisations based in the UK and any EU member state.
Since we wrote that article, MPs passed a bill that aims to block a no-deal Brexit. That’s good news for those who want a formal agreement, but it’s by no means a guarantee that it will happen. As with the previous extension, it simply gives the UK more time to negotiate.
A no-deal Brexit would still be on the cards, but it may happen a few weeks or months later.
So, it’s still in everyone’s best interests to prepare for a no-deal scenario.
The effects of a no-deal Brexit
As we mentioned earlier, a no-deal Brexit will see the UK immediately become a ‘third country’. This will have several major repercussions from a data protection perspective.
Under the GDPR, organisations in third countries can only process EU residents’ personal data if:
- There is an adequacy decision, as per Article 45 of the GDPR;
- If they rely on SCCs (Standard Contractual Clauses), as per Article 46; or
- If they rely on BCRs (Binding Corporate Rules), as per Article 47.
The adequacy decision process cannot be started until exit day, so if there is no deal and therefore no transition period, any European organisations that share EU residents’ personal data with partners in the UK will need to ensure SCCs or BCRs are in place by then in order for their data processing to remain lawful under the GDPR.
These are formal agreements between organisations that share personal data (including suppliers, partners or subsidiaries), which outline the ways in which the information will be protected.
Data transfers from the EU to the UK
Each EU member state will have to provide their own rules for transferring data to the UK.
As we said earlier, organisations in the UK that rely on data transfers from the EU should work with their EU counterparts to make sure alternative mechanisms for transfers (such as standard contractual clauses) are in place.
Cyber criminals love times of disruption, and in the period leading up to and beyond Brexit, there will be significant disruption.
Organisations should expect to see Brexit-themed phishing scams, as well as other types of cyber attack that look to take advantage of organisation’s uncertain security posture.
Businesses across the EU should act now to ensure cyber defences are adequate, that their incident response plans are tested and working, and that staff training – particularly in relation to identifying phishing attacks is up to date.
Looking for expert GDPR help?
You can get more advice on how to stay on top of your data protection requirements with our Live Online GDPR Consultancy.
This service enables you to book consultancy support by the hour, giving you the assistance you need in a time frame of your choosing. Our experienced data protection consultants can help:
- Steer your GDPR strategy;
- Explain your GDPR compliance requirements;
- Guide you on privacy management and data protection practices; and
- Act as a virtual member of your GDPR compliance team.