Following the defeat for Theresa May's Brexit deal in the commons last night, it is looking increasingly likely that Britain is heading for a No-Deal exit from the European Union on 29th March 2019. Whatever your side of the debate, one thing is certain. A no-deal departure from the EU after 46 years of membership would be a significant change to the status quo.
With that in mind, it is time (if you haven't already) to consider preparing your business for a no-deal Brexit. There is countless debate about the way EU departure will affect trade, the economy and laws. However, a point that is often overlooked is the effect it could have on Data Protection.
The General Data Protection Regulation (GDPR) is a hard-won piece of legislation that ties together the nations of Europe into a tighter form of data protection. It only came into effect in May of 2018. How will a No-Deal Brexit affect the smooth transition of data and what measures can you take to keep your data safe?
To find out more about GDPR and how it affects you, download our FREE White Paper >>
Data protection is a fundamental right here in the UK and before and after Brexit, the Government are committed to the highest standards of data protection. Understandably data protection may not be the first thing that springs to mind when you think about Brexit, but in the event of a no-deal Brexit it’s important to be ready.
So, how would a no-deal Brexit affect data protection?
Luckily, the answer to that question is not very much. Currently as a country we have the Data Protection Act (2018), a UK-specific law and GDPR which forms the comprehensive data protection framework. This does not restrict the transfer of personal data within the EEA (European Economic Area), however, GDPR restricts organisations transferring data outside of the EEA unless there is a legal basis to do so. Therefore, UK businesses that operate only within the UK will have no immediate change, whilst UK businesses that operate internationally or exchange personal data outside of the UK will need to make changes to minimise disruption.
If we were to leave with no-deal, there would be no immediate change in the UK’s own data protection standards due to the EU Withdrawal Act incorporating GDPR into UK law to sit alongside it and the Data Protection Act (2018) staying in place. However, a no-deal Brexit would mean that Britain would be classed as a ‘third country’ until an adequacy agreement could be implemented. An adequacy agreement is a decision made by the European Commission which establishes that a non-EU country ensures an adequate level of protection of personal data by reason of its domestic law or the international commitments it has entered into. According to the ICO, until an adequacy agreement comes into force, the flow of personal data being transferred from the EEA to the UK would be stopped but the flow from the UK to the EEA would continue to take place. It is hoped that if it came to a no-deal, that an adequacy decision would be made quickly by the European Commission to allow the transfer of personal data without restrictions.
Although this would be allowed to take place, it would still have its challenges. Chris Combemale highlighted these challenges in an interview with the Sunday Express. He said “a UK-based company that has EU customers may use an EU-based data centre, but the information is processed at the UK HQ. If the UK leaves the EU without a data deal this company would lose access to its own data, as transfers from the EU to UK would be prohibited”.
It is important to educate yourself and your business on a no-deal Brexit and data protection. The ICO have set out six steps to help businesses prepare for a no-deal Brexit which I have outlined below.
- Continue to comply with all GDPR standards.
- Review all your data transfers to the UK and where you receive data into the UK from the EEA. Then think about what GDPR safeguards you can put in place to ensure data can still flow into the UK once Brexit has happened.
- Review all your data transfers from the UK to any other country. Once Brexit happens these will fall under new UK transfer and documentation provisions.
- If you are a European operation review your structure, data flow and processing operations so that you can assess how data protection regimes that apply to you will be affected.
- Review your privacy information and internal documentation to identify any that will need updating.
- Make key people in your organisation aware of the key issues.
Fortunately, it appears that Data Protection and the GDPR will be safeguarded by British law post-Brexit. Nevertheless, it is prudent to prepare for the worst possible outcome. Using the ICO advice will help you to keep the reputation of your business (regarding data protection) intact.
Ensure your business stays compliant with the GDPR legislations. Read our GDPR White Paper for the facts>>
