Brexit: No deal impact on cross-border data flows

The overview

If you didn’t already know, the United Kingdom, as I write this, is to leave the European Union on the 29th March at 23:00 GMT. It is still undecided whether the UK will leave the EU or not, however there is a meaningful vote scheduled which will now be held by the 13th March 2019. Some 2 and a bit weeks before the deadline for exit.

Businesses are working on their contingency plans for a ‘no Brexit’ one where the UK leaves the EU without any agreement and enters WTO tariffs, which are way more than what they are currently.

Back in December 2018, as part of the Governments ‘no deal’ planning, the Government issued a notice (the Notice’) to help provide further detail on how our current Data Protection Law (DPA 2018) will work if the UK does in fact leave the UK without a deal. This was further followed up by the ICO who released a blog detailing how it is helping businesses prepare for a no deal Brexit.

What are the issues?

The Notice issued by the Government defines the key components which make up a ‘no deal’ framework, this helps to provide a leave of reassurance to cross-border data flows. It is made up of at least the following points:

  • Any transfers from the UK to all EEA countries, including Gibraltar would continue to operate and flow as normal as the UK would recognise them as ‘adequate’
  • Where the European Union has already made an adequacy decision based upon a third country, the UK intends to preserve this on a transitional basis. As of writing there are currently twelve countries with full adequacy status. These are Andorra, Argentina, Canada (limited to transfers to commercial organisations) Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, Switzerland, Uruguay and United States (limited to the current Privacy Shield framework).

This means that the flow of personal data would continue to flow from the UK to the adequate countries defined above.

  • European Commission approved Standard Contractual Clauses (‘SCCs’) can (at this point in time) still be used to transfer personal data from the UK to another other EU county.
  • Any existing authorised Binding Corporate Rules (‘BCRs’) via the ICO would continue to be recognised by EU.

The big problem for any business who are trading with EU counties is that you will need to be legitimising the flow of information from the EU to the UK. This means that you need to ensure that you, as a business have been mapping your data, gaining consent (as per GDPR).

The UK Government has stated that all UK organisations will have to work with the EU counterparts to help make sure that mechanisms for the transferring of information are in place.  This could be the formation of Standard Contractual Clauses (SCC).

Summary

If your business works with any companies that are within the EU, then you need to start looking at the data you have, where its stored, what’s its used for and why do you need it.  This blog article only scratches the surface. Haulage companies have bigger headaches with additional paperwork and processes.

I hope this articles helps and helps to spread the information that is needed for the upcoming changes.

Menu