With the UK once again on the precipice of Brexit, organisations across Ireland remain shackled by uncertainty. There is still no clear picture on what Brexit will look like, and fundamental issues, like whether the UK will strike a formal agreement with the EU before it leaves, are up in the air.
The prospect of a no-deal has increased since Boris Johnson became prime minister, but experts still favour the likelihood of a deal.
So, what should Irish organisations be doing? We can’t say what’s best for your overall business strategy, but we can help when it comes to transferring personal data in and out of the UK.
No-deal personal data transfers
Personal data transfers are one of the few areas of Brexit where clear plans are in place should the UK leave without a formal agreement. With little other guidance currently available to help you prepare for a no-deal Brexit, it makes sense to get this sorted as soon as possible.
The UK government’s plan is relatively straightforward. In a no-deal scenario, the UK will become a ‘third country’ – that is, neither a country based in the EEA (European Economic Area) nor the country in which the organisation receiving or sending the data is based.
As such, data transfers will be treated in the same way as exchanges with any other country outside the EU.
If you share personal data with an organisation based in the UK, you’ll need to prepare certain safeguards – which we explain further below – to ensure that those exchanges continue legally.
What kinds of processing are affected?
Any activity in which you move personal data to or from the UK will be affected. As the Data Protection Commission suggests, the extent of such transfers might be much greater than you think. You might, for example:
- Outsource HR, IT or payroll functions to a UK-based organisation;
- Use a UK-based company to send marketing material to your customers;
- Use an occupational health provider based in the UK;
- Store data in the UK on a server or in the Cloud;
- Use a pension scheme provider based in the UK;
- Send personal data of employees, customers or suppliers to a translation or transcribing service provided by a UK-based organisation; or
- Use a UK-based organisation to analyse data on visitors to your website.
Any activity like this will be subject to new rules, and organisations will need to prepare accordingly.
Be careful not to overburden yourself, though. If a UK-based customer passes their own personal data to your organisation, it’s not considered a data transfer and can continue without additional measures.
How can I transfer personal data legally after Brexit?
There are several safeguards you can implement to ensure that personal data transfers remain legal in a no-deal scenario, although the most appropriate measure for small and medium-sized organisations will often be SCCs (standard contractual clauses).
The UK’s data protection regulator, the ICO (Information Commissioner’s Office), explains that SCCs are “standard sets of contractual terms and conditions which the sender and the receiver of the personal data both sign up to. They include contractual obligations which help to protect personal data when it leaves the EEA and the protection of the GDPR [General Data Protection Regulation].
“It is the EEA sender of the personal data which must comply with the GDPR rules, but UK receivers may want to assist those senders in complying, to make sure data continues to flow if we leave the EU without a deal.”
You might already be using SCCs to transfer data in and out of the EU. The good news is that provisions will be made so that SCCs that have previously been issued by the European Commission will continue to be an effective basis for international data transfers from the UK.
Under the proposed regulations, the ICO will have the power to issue new SCCs after the UK leaves the EU.
What else changes in the event of no-deal?
The UK government’s website provides a full list of amendments to UK data protection law in the event of a no-deal Brexit. Here’s a list of those changes and clarifications that relate to Irish organisations:
- Data controllers and data subjects: The responsibilities of data controllers will remain the same, and data subjects will continue to benefit from the same high levels of data protection as they do now.
- Data transfers from the UK to EEA countries: The UK will “transitionally recognise” Ireland, as well as all other EEA countries and Gibraltar, as providing an adequate level of protection for personal data, allowing organisations to transfer data freely. The UK would keep all of these decisions under review.
- Data transfers from Ireland to the UK: Like every EU member state, Ireland will have to provide its own rules for transferring data to the UK. Organisations in the UK that rely on data transfers from Ireland should work with their partners based in the country to make sure alternative mechanisms for transfers (such as SCCs) are in place.
- Maintaining the GDPR’s extraterritorial scope: The GDPR applies to all organisations that process EU residents’ information, regardless of where they are based. The UK government will retain this scope regardless of whether a Brexit deal has been reached.
How should you proceed?
Whether you’re concerned about data transfers specifically or the GDPR more broadly, you must acknowledge your compliance requirements in order to avoid disciplinary action and keep data subjects satisfied.
If your organisation is among those that have been waiting to see what effect the Regulation will have, you must now recognise its reality. Supervisory authorities, legal experts and individuals have been applying pressure on organisations through regulatory action, DSARs (data subject access requests) and formal complaints.
The time to act is now – and you must be certain of your approach. The GDPR is so complex that it’s too time-consuming to work it out as you go.
Those looking for compliance guidance – on getting started or on a specific requirement – should consider our Live Online GDPR Consultancy.
This service enables you to book consultancy support by the hour, giving you the assistance you need in a time frame of your choosing. Our experienced data protection consultants can help:
- Steer your GDPR strategy;
- Explain your GDPR compliance requirements;
- Guide you on privacy management and data protection practices; and
- Act as a virtual member of your GDPR compliance team.