Data Protection and Brexit

Updates from regulators on both sides of the Irish sea continue to leave us with an ongoing level of uncertainty. This is primarily due to the lack of a Brexit deal to provide direction. However there is general clarity on the issue of data protection in the event of a no deal Brexit.

Key points in the event of a hard Brexit (i.e. no deal)

1  The UK will be outside of the EU. This will require safeguards to be put in place by organisations in Ireland before they transfer personal data to the UK. This included Northern Ireland.
2  Transfer to countries outside of the EU requires one of the following;

  1. An Adequacy Ruling by the EU. This ruling judges the third state’s data protection as adequate for the processing of EU personal data without additional action e.g. Switzerland, Japan or New Zealand. The UK does not have an Adequacy Ruling,
  2. Appropriate Safeguards, these include among other things an EU standard data protection clause between the organisations, binding corporate rules or approved codes of conduct,
  3. Failing the above in specific cases relying on consent from the subject, or the performance of a contract.

3  The awarding of an Adequacy Ruling to the UK is not a given. The enactment of legislation granting powerful surveillance and retention powers to UK policing authorities in 2016 has already been judged as inconsistent with EU regulation and may prevent a full adequacy ruling.
4  The UK is permitting personal data to flow freely from the UK to the EU.

Four Recommendations if you do business in the UK

1 List the personal data that will need to be transferred to the UK after the 31st October, and it’s purpose. Examples of situations where you may be transferring personal data to the UK include; to customers or suppliers, outsourced services, services hosted in the cloud and controlled by a UK organisation, or relating to company functions administered in the UK.

2 Decide on the appropriate mechanism to transfer personal data outside of the EU legitimately. As a basic measure many companies may rely upon either an EU Standard Contractual Clause, or a contract directly with a subject. Where the contract is not directly with a Subject and you need to rely upon EU Standard Clauses insert the following items into your terms and conditions;

  1. the terms of the EU Standard Contractual Clause, or make reference to it, as a basis for transfer.
  2. a warrant that personal data provided by companies to you has been obtained lawfully and that the Subject is informed of it’s purpose and transfer.

3  Update your staff contract/handbook to cater for the transfer of staff personal data outside of the EU.

4  Put a plan in place to have this completed by the Brexit deadline of 11pm on 31st October.

If you are outside of the EU and would like similar, high level, practical guidance for non EU companies with operations within the EU, please see here