It feels like only a short time ago that we had to get our heads around how to implement General Data Protection Regulation (GDPR) and changed our processes around personal data, in order to comply with this piece of European legislation.
But now, with a possible no deal Brexit on the horizon, businesses need to look at the issue of how we should handle personal data in the event of leaving the EU without a deal. If we leave without a formalising a deal, there will not be a ‘transition period’ – a time for UK businesses to understand and implement changes to trading legislation – so there is a threat of a period of ‘data confusion’. That is, unless we take the issue by the horns and try and plan for a no deal eventuality.
The good news? The Information Commissioners Office (the ICO) have outlined the scenario that we need to plan for.
The crux of the issue is the data that we import from the EU. Currently, whilst the UK remains in the European Union, the shared GDPR legislation ensures that data flows freely within the area. If the UK leaves the EU without a negotiated deal, then our businesses no longer have the same freedoms. The UK has pledged to write the current GDPR legislation into UK law. So, there is expected to be very little change in the way we send personal data within the UK and how we export it into the EU.
But the issue comes when we look to receive data from a business in Europe.
This might be, for example, when an EU business sends the personal details of a booking or shares a database that holds identifiable personal data.
A UK business may have to comply with both the UK data protection laws and the EU equivalent. And we will need to ensure that the sender of the data is complying with their local legislation.
At the moment, the EU would apply what is called an ‘adequacy decision’ in relation to a non-EU country receiving EU originated data. In simple terms, that means that the EU would review the data legislation and provisions in a country, let’s say Japan, and assess that their standards are equivalent or higher that the ones in the EU and, therefore, the data environment are safe. Because the data is considered well maintained and compliant, the EU would take a ‘decision’ that it is ok to export EU data to Japan. It is like data safeguarding.
The EU has not yet made that decision about the UK. In the meantime, there may be a period where the EU does not have the adequacy decision in place, to cover the export of personal data into the UK.
But what happens to all of those countries that do not have an ‘adequacy decision’ and yet receive EU data now?
Then a contractual clause that is put in place between an EU and the non-EU data recipient. It is called a ‘standard contractual clause’ (SCC). This is a contract of agreement on the jurisdiction and use of the data, along with the legislative framework that the personal data is to be governed under. The SCC will also take into consideration the roles of the data handling, in terms of controller and processor, just as it is under GDPR currently.
As mentioned, the ICO has outlined all that a business will need to know when handling data coming in from the EU. This would be a good time to consider how to put SCCs in place, what GDPR changes may be on the horizon and maybe this is the time to clean up your data housekeeping.
All the ICO guides can be found at:
Leaving the EU – 6 steps to take: https://ico.org.uk/media/for-organisations/documents/brexit/2614575/leaving-the-eu-6-steps-to-take-final.pdf
Importing data from the EU under no deal Brexit – an assessment https://ico.org.uk/for-organisations/data-protection-and-brexit/standard-contractual-clauses-for-transfers-from-the-eea-to-the-uk-interactive-tool/
No deal Brexit & data protection - FAQs https://ico.org.uk/for-organisations/data-protection-and-brexit/information-rights-and-brexit-frequently-asked-questions/