The UK’s data protection authority and GDPR enforcer has issued fresh guidance (and a warning) to businesses over data flows in the event of a no-deal Brexit.
The guidelines come with a stark warning that no deal will change how EU law is applied to UK companies processing user data.
If a company is transferring personal data from the UK to an EU entity then they can proceed as normal, as the UK government has stated that they will put no restriction on data flow. However, if the company is receiving data from a firm based in the EU they will need to take extra steps to ensure they are compliant.
While the GDPR, NIS, PECR and other regulations surrounding information security and data privacy have been enshrined in UK law and will be retained post-Brexit, eIDAS (which covers electronic ID and trust services) has yet to be incorporated into UK law.
Westminster says this will happen on the eve of Brexit however. The ICO notes that, in practice, “if you are a UK trust service provider, you should assume that you will still need to comply with eIDAS rules.”
ICO: Firms Should Establish Standard Contractual Clauses with EU Partners
The ICO is advising that the best approach may be to establish standard contractual clauses (SCCs) with EU bodies and firms from which data is flowing.
The SCCs should outline the data protection responsibilities of a company with regards to GDPR legislation in the EU. The SCC would essentially establish contractual terms and conditions that ensure both companies process data in a legal manner.
Currently data flow is unrestricted as the UK is still classed as an EU member state, yet that could change overnight on October 31 and it will be up to UK firms to ensure they are following the law in the UK and the EU, warns the ICO.
The Information Commissioner Elizabeth Denham stated that: “It’s crucial that organisations make sure they properly prepare for all scenarios.”
ICO Brexit Warning
The Commissioner is advising business to bring themselves up to speed with the ICO’s published guidelines. “Even if you think your organisation doesn’t transfer data internationally, I’d urge you to read what we’ve produced, and assess whether you need to act,” commented Denham.
If a company has established offices or branches within the European Economic Area (EEA) they will have to comply with UK and EU data protection regulations. The ICO is advising companies of this nature that they may need to designate a representative in the EEA.
This representative will act as the company’s local representative with individuals and data protection authorities in the EEA. The ICO is warning that if you have a data protection officer (DPO), this person or one of your processors cannot be designate as your representative in the EEA.
No matter what happens come the end of October the ICO is informing business that the best approach will be to adhere to GDPR rules and guidelines when processing personal data, this will ensure firms are complaint with EU and UK laws.
And despite all the updates, the main message from the ICO is simple: “If we leave the EU without a deal, most of the data protection rules affecting small to medium-sized businesses and organisations will stay the same.”