Delphotostock - Fotolia
Businesses that rely on transfers of personal data between the UK and the European Economic Area (EEA) may have to take special steps to safeguard their business processes if the UK leaves the European Union without a deal in place, the ICO warns.
The government has made clear that the EU’s General Data Protection Regulation (GDPR) will be absorbed into UK law at the point of exit, so there will be “no substantive change” to the rules that most organisations need to follow, but organisations that rely on the transfers of personal data between the UK and the EEA may be affected, says information commissioner Elizabeth Denham.
If the UK leaves without a withdrawal agreement in place that specifically provides for the continued flow of personal data, Denham said in a blog post that the government has already made clear its intention to permit data to flow from the UK to EEA countries.
However, transfers of personal information from the EEA to the UK will be affected, she said, and to help organisations understand the implications and to plan ahead, the ICO has published three guidance documents.
The first is a guide on six steps to take, the second is broader guidance on the effects of leaving the EU without a withdrawal agreement, and the third is a general overview in the form of frequently asked questions.
Denham said that for organisations that have not already been making preparations in case the UK leaves the EU without a withdrawal agreement, the six steps guide is a good place to start.
“It’s designed to help all organisations make the precautionary preparations that will help ensure these data flows continue,” she said.
Denham notes that organisations will need to consider alternative transfer mechanisms to maintain data flows. “The guidance we have produced will help you weigh the options and take action if this proves necessary,” she said.
The potential solutions include putting standard contractual clauses in place with organisations outside the UK. The ICO guide is designed to take organisations through that process.
“Particularly aimed at small and medium-sized organisations, it will help you decide if standard contractual clauses are relevant and will minimise the expense of putting them in place,” said Denham.
“The guide includes help with completing the clauses, but we will be making further developments in the next few weeks to incorporate an online tool to help organisations generate them automatically.”
Denham said the government has also made clear its intention to seek adequacy decisions for the UK, which would recognise the UK’s data protection regime as essentially equivalent to those in the EU.
“It would allow data flows from the EEA and avoid the need for organisations to adopt any specific measures. But any such adequacy decisions will not be in place before the UK leaves the EU and will take time to conclude. However, organisations need to consider their circumstances and what transfer mechanisms are appropriate,” she said.
The ICO plans to provide further information to the small number of organisations in the UK that rely on approved binding corporate rules for their transfers to explain how they may be affected.
“We will continue to help all organisations understand how any future changes in data protection regulation will affect you and the measures you need to put in place,” said Denham.
In guidance published by the Department for Digital, Culture, Media and Sport (DCMS), the government said it will make “appropriate changes” to data protection legislation to ensure that the UK data protection framework continues to operate effectively when the UK is no longer an EU member state.
Under the EU Withdrawal Act, the government said it will use regulation-making powers to preserve EU GDPR standards in domestic law to:
- Preserve EU GDPR standards in domestic law.
- Transitionally recognise all EEA countries and Gibraltar as “adequate” to allow data flows from the UK to Europe to continue.
- Preserve the effect of existing EU adequacy decisions on a transitional basis.
- Recognise EU standard contractual clauses (SCCs) in UK law and give the ICO the power to issue new clauses.
- Recognise binding corporate rules (BCRs) authorised before exit day.
- Maintain the extraterritorial scope of the UK data protection framework.
- Oblige non-UK controllers who are subject to the UK data protection framework to appoint representatives in the UK if they are processing UK data on a large scale.
The government said the special regulations and more detailed guidance will be published in the “next few weeks”.
With continued uncertainty about the future relationship between the UK and the EU, TechUK said the additional guidance from the ICO will be helpful for businesses trying to understand the impact of a no-deal Brexit on their data transfers so they can plan for all eventualities.
“Too many businesses, across all sectors, remain unprepared for the impact no deal would have on their ability to transfer data. This guidance should help focus minds on the practical steps that businesses need to take,” said Giles Derrington, head of policy at TechUK.
“The ICO’s guidance coincides with confirmation from DCMS that amendments will be made to the UK Data Protection Act 2018 in the event of no deal to ensure the continued and consistent application of the existing data protection law, based on GDPR, is maintained. This is another important part of no deal preparation work by government,” he said.
However, according to Derrington, TechUK remains convinced that adequacy agreements between the UK and the EU are the most suitable way of maintaining data flows.
“TechUK was pleased to see commitments from both the UK and EU in the political declaration to reach adequacy agreements by the end of the transition period, should the Withdrawal Agreement be agreed,” he said.
“This additional clarity from the ICO about the steps businesses can take to facilitate data transfers if there is no deal is welcome. TechUK urges all businesses to use this information to make sure that they are as prepared as possible should a no deal occur in March 2019.”