With Brexit day fast-approaching and the UK and EU in negotiation deadlock, it’s time for organisations to work under the assumption that a formal withdrawal agreement won’t be in place by 29 March 2019.
This will be hard work for many of your business activities, but things are surprisingly straightforward regarding personal data transfers. In this blog, we explain how EU organisations can navigate data transfers both into and out of the UK in a no-deal scenario.
Transferring data into the UK
At the point the UK leaves the EU, it will be classified as a third country. Chapter 5 of the GDPR (General Data Protection Regulation) states that personal data can be transferred to third countries under two circumstances.
The first is on the basis on an adequacy decision (as set out in Article 45). This occurs when the EU deems the third country to have the necessary levels of protection in place.
The second is when the controller or processor has provided appropriate safeguards (as set in Article 46). These may be provided by:
- Legally binding and enforceable instruments;
- Binding corporate rules (explained further in Article 47);
- Standard contractual clauses;
- Approved codes or conduct; or
- Approved certification mechanisms.
There are also several derogations for specific circumstances, which are listed in Article 49.
Unless proposed plans to delay Brexit beyond 29 March 2019 are approved, the European Commission won’t have time to make an adequacy decision regarding the UK. That means EU organisations should be looking for appropriate safeguards – the most effective of which will probably be standard contractual clauses.
These clauses must be applied to the data transfers and signed by your organisation and the UK organisation receiving the information.
Transferring data out of the UK
The UK government’s website provides a full list of amendments to the country’s data protection law in the event of a no-deal Brexit.
It states that it will “transitionally recognise” all EEA (European Economic Area) countries and Gibraltar as providing an adequate level of protection for personal data, allowing UK organisations to transfer data to those countries freely.
Provisions will also be made so that standard contractual clauses that have previously been issued by the European Commission will continue to be an effective basis for international data transfers from the UK.
The ICO (Information Commissioner’s Office) will have the power to issue new standard contractual clauses for UK-to-EU transfers after the UK leaves the EU.
Likewise, binding corporate rules will continue to be recognised after Brexit, and the ICO will retain its ability to authorise them for transfers of personal data out of the UK.
Sign up for our Weekly Sentinel to receive the latest cyber security news and advice.