kamasigns - Fotolia
The Information Commissioner’s Office (ICO) has published fresh guidance for small and medium-sized enterprises (SMEs) on personal data transfers in the event of a no-deal Brexit.
As the clock ticks down to the Brexit date of 29 March 2019, the prospect of the UK leaving the European Union (EU) without a deal becomes ever greater and businesses should ensure they are prepared for it, Jonathan Bamford, director of strategic policy at the ICO, warned at a recent Westminster eForum event on General Data Protection Regulation (GDPR) practice in London.
To help UK businesses understand the implications of a no-deal Brexit, information commissioner Elizabeth Denham has published guidance aimed at busting some common myths.
“At the moment, personal data flow is unrestricted because the UK is an EU member state. If the proposed EU withdrawal agreement is approved, businesses can be assured that personal data will continue to flow until 2020 while a longer-term solution can be put in place,” she said in a blog post.
However, she warned that a no-deal Brexit will mean that UK companies will have to put additional measures in place when personal data is transferred from the European Economic Area (EEA) to the UK.
“With less than two months to go until the UK leaves the EU, we recognise that businesses and organisations are concerned,” said Denham.
Busting common myths
The first myth addressed is that Brexit will stop UK businesses from transferring personal information from the UK to the EU altogether.
In a no-deal situation, Denham said the UK government has already made clear its intention to enable data to flow from the UK to EEA countries without any additional measures, but cautions that transfers of personal data from the EEA to the UK will be affected.
“The key question around the flow of personal data is whether your data is going from the UK to the EEA or exchanged both ways? If you are unsure, start by mapping your data flows and establish where the personal data you are responsible for is going.”
All businesses operating in the EEA should consider whether they need to take action now, said Denham, advising that all those affected should consult the Information Commissioner’s Office’s guidance pages to establish whether they need to prepare for data transfers in the event of a no-deal Brexit.
The second myth addressed is that UK businesses such as a family hotel will need to set up a special agreement to deal with the personal details of EU customers.
When a customer passes their own personal data to a company in the EEA, Denham said it is not considered to be a data transfer and can continue without additional measures.
“However, there may be other ways you transfer data, for example a booking agency transferring a list of customers, in this case you may need additional measures,” she said, advising businesses to check the ICO’s guidance pages on Brexit.
Elizabeth Denham, ICO
The third myth addressed is that Brexit will affect only data transfers of UK companies actually exporting goods or services to the EU.
Personal data transfers are not about whether a business is exporting or importing goods, said Denham. “You need to assess whether your business involves transfers of personal data – such as names, addresses, emails and financial details – to and from the EEA and if this is going to be lawful in the case of ‘no deal’,” she said, adding that it is the responsibility of every business to know where the personal data it processes is going, and that a proper legal basis for such transfers exists. In this regard, she recommends businesses look at the ICO’s guidance on six steps to take.
The fourth myth addressed is that a UK business will be fine because there will be a European Commission adequacy decision on exit day on 29 March 2019 to ensure the uninterrupted exchanges of personal data between the UK and the EU.
“Adequacy” is the term given to countries outside the EU that have data protection measures that are deemed essentially equivalent to European standards. Companies and organisations operating within countries with adequacy agreements enjoy uninterrupted flow of personal data with the EU.
However, Denham said that an assessment of adequacy can take place only once the UK has left the EU and warned that these assessments and negotiations have usually taken many months.
“Although it is the ambition of the UK and EU to eventually establish an adequacy agreement, it won’t happen yet. Until an adequacy decision is in place, businesses will need a specific legal transfer arrangement in place for transfers of personal data from the EEA to the UK, such as standard contractual clauses,” she said.
The fifth myth addressed is that if a business’s parent company in Europe keeps all personal data records centrally, there is no need to worry about any new agreements.
“Don’t presume you are covered by the structure of your company. In the case of ‘no deal’, UK companies transferring personal information to and from companies and organisations based in the EEA will be required by law to put additional measures in place. You will need to assess whether you need to take action,” said Denham.
There are many mechanisms companies can use to legitimise the transfer of personal data with the EEA such as standard contractual clauses and binding corporate rules. The ICO has produced an online tool to help organisations put contract terms in place to provide a lawful basis for data transfers.
“You know your organisation best and will be able to use our guidance to assess if and how you need to prepare. Alternative data transfer mechanisms exist, but it can take time to put those arrangements in place,” said Denham, adding that it is in everyone’s interests that appropriate exchanges of personal data continue whatever the outcome of Brexit.
“The ICO will carry on co-operating internationally to ensure protections are in place for personal data and organisations have the right advice and guidance,” she said.