• Careers
  • Contact Us

Is Your Data Ready for a 'No-Deal' Brexit?

on Thursday, 21 February 2019.

It now looks increasingly possible that the UK will leave the EU at the end of March without a withdrawal agreement in place. In preparation, the EEA regulators have published a notice setting out what they expect from commercial and public organisations.

If there is a no-deal Brexit on 29th March, it will affect you immediately if you:

  • receive personal data from the EEA (EU plus Norway, Iceland and Lichtenstein)
  • use data processors 'established' in the EEA, such as providers of cloud storage or SaaS
  • sell goods or provide services to individuals in the EEA;
  • monitor behaviour of individuals in the EEA - for example by analysing social media feeds

Following a no-deal Brexit there will be two separate (albeit very similar) data protection regimes in place: the UK one and the EEA one. If you carry out any of the activities set out above, you will have to comply with both regimes. The effect of the notice issued by the EEA regulators is that transfers of personal data from the EEA to the UK will, from 23:00 (London time) on 29th March, no longer automatically be compliant with the (EU) General Data Protection Regulation (EUGDPR).

There will therefore be immediate restrictions on transfers of personal data from the EEA to the UK. You and your EEA partner (where applicable) will have to implement one of the safeguards under the EUGDPR to make such transfers lawful unless you can rely on a derogation.

We therefore recommend that you take steps now to ensure the continued free flow of personal data if the UK leaves with no deal on 29th March.

If you only receive personal data in the UK from the EEA, you will not be subject to the same restrictions because the UK Government has confirmed that transfers of personal data from the EEA to the UK will continue to be compliant with UK law. Nevertheless, you may still find that your EEA partner asks for changes to your agreement with them (and possibly also to your data privacy policy) so that their own processing continues to be lawful under the EEA regime.

Which safeguard or derogation is most appropriate will turn on the facts of your particular situation. For example, an emergency transfer of medical information should be treated differently from the routine transfer of commercial information.

The safeguards most likely to be helpful at this stage are:

  • For commercial organisations and public bodies - The standard contractual clauses which have been approved by the European Commission. These are a convenient safeguard to implement because they simply need to be inserted (in full and unmodified) into a contract between the data importer and exporter. You will, however have to insert the detail of the data that are transferred and the security measures that you have in place. You will generally be able to use this mechanism to help make the activities set out above, lawful in the EEA. It is also likely that if you receive personal data from the EEA you will be asked to sign up to these clauses by your EEA counterpart.
  • For public bodies only - you may be able to make use of an administrative agreement, a bilateral or multilateral international agreement. These are specific to the public function(s) that you carry out and there may not be any such agreement that covers your processing, in which case, you may choose to use standard contractual clauses.

There are some multinational groups of companies that already have Binding Corporate Rules (BCRs). If so, these will continue to be valid. However, if the ICO acts as your BCR Lead Supervisory Authority then you will need to identify a new authority within the EEA.

The EUGDPR provides for certain situations where safeguards, such as those mentioned above, are not required. These are referred to as 'derogations'. For example, where the transfer of personal data is necessary for the performance of a contract with the data subject or where the individual has provided explicit consent for the transfer of their data. However, before relying on a derogation you should consider whether a safeguard can be used because derogations should mainly be used for transfers which are occasional and non-repetitive.

Whichever mechanism you choose to use, you should review your data privacy policies or transparency notices to ensure that they correctly reflect the new arrangements.

Once you have decided how to make your processing lawful and reviewed your privacy policies, you should update your data processing record accordingly.

Employers of EU nationals must also be aware of the impact a 'no deal' Brexit will have on their workforce, and should take steps to prepare accordingly.

It remains possible that a last minute resolution will be reached, but as the end of March draws closer, we now recommend that you prepare for a 'no deal' scenario in good time.

Please contact Serena Tierney on 020 7665 0817 or Andrew Gallie on 0117 314 5623 if you would like advice on this issue.

Leave a comment

You are commenting as guest.