New guidance for businesses to ensure the free flow of personal data in the event of a no-deal Brexit

GDPR support from our legal advisors

Data Protection and a ‘No Deal’ Brexit

With recent political uncertainties, it has become advisable for businesses to prepare for a no-deal Brexit. The Department for Digital Culture, Media & Sport (‘DCMS’) and the Information Commissioner’s Office (‘ICO’) have respectively published guidance notes and blog posts advising businesses to take steps to ensure the free flow of personal data in the event of a no-deal Brexit. Following these publications, a draft ‘Data Protection, Privacy and Electronic Communications (Amendments etc) (EU exit) Regulations 2019’ has been put to Parliament, listing the key amendments to be made to UK data protection laws.

What if there is a “No Deal” Brexit?

In the scenario of a “no deal” Brexit, there would be no immediate change in the UK’s own data protection standards because the Data Protection Act 2018 would remain in place on exit and the GDPR would be incorporated into UK law by the EU (Withdrawal) Act 2018. The ICO has confirmed in its guidance that the free transfer of personal data from the UK to the EU would be permitted. This will remain under review by the UK Government.

However, the legal framework will be subject to change for organisations established in the EU that wish to transfer personal data to organisations established in the UK. EU organisations would need to take action to ensure that they are able to send UK organisations personal data, as the UK would be deemed to be a “third country” under the GDPR

Chapter V of the GDPR provides the methods by which transfers of personal data to the UK (as a third country) can be permitted under GDPR.

Adequacy Decision

The most favourable for UK-based data controllers and processors, is an “adequacy decision”. This is where the European Commission (the “Commission”) makes a finding that a third county, territory, specific sector in a third party or an international organisation offers levels of data protection that are essentially equivalent to that within the EU. An adequacy decision permits a cross border data transfer outside the EU, or onward transfer from or to a party outside the EU without further authorisation from a national supervisory authority. The Commission has stated that an adequacy decision would be granted to the UK following its exit of the EU if the UK’s regime was deemed as “essentially equivalent” to that of the EU. However, the Commission will not take the decision on adequacy until the UK is a third country, and the decision is not guaranteed. At this stage, it is not guaranteed that an adequacy decision can be relied upon at the point of exit and therefore you may wish to consider appropriate safeguards for EU to UK transfers.

Appropriate Safeguards

If the UK does not get an adequacy decision, those that are looking to transfer personal data from the EU must then look towards whether the transfer can be made subject to “appropriate safeguards” listed in the GDPR.

Standard Contractual Clauses

Standard contractual clauses (the SCCs) are an example of an appropriate safeguard, and the one most likely to be appropriate for small and medium-sized businesses.

The SCCs are standard sets of contractual terms and conditions which the sender and the receiver of personal data both sign up to. They include contractual obligations which help to protect personal data when it leaves the EEA.

Binding Corporate Rules

Binding Corporate Rules (BCRs) are another example of an appropriate safeguard. BCRs can be put in place to allow multinational groups to transfer personal data from the EEA to their affiliates outside the EU. BCRs must be approved by a supervisory authority. A company can put in place BCRs for controllers (covering data it controls) and/or BCRs for processors (for data it processes on behalf of others).

To be successful, an applicant must demonstrate that it has in place adequate safeguards for protecting data throughout the organisation. BCRs do not cover transfers of personal data outside a corporate group.

Conclusion

Ideally, in the event of a “no deal” Brexit, the Commission will make an adequacy decision which will allow the free flow of personal data from the EU to the UK. However, it would be prudent to consider your current arrangements with EU-based entities and identify where there are transfers of personal data from the EU to the UK which may require appropriate safeguards to be put in place if an adequacy decision is not forthcoming.

At Brachers we can assist your business in preparing for a “No Deal” Brexit. Please contact a member of our team for further information and advice.