Legally speaking: Data transfers post Brexit

With little time remaining before the UK leaves the European Union, the potential for a no-deal Brexit remains, albeit less likely than a few months ago.

The focus of the Information Commissioner’s Office (ICO) had turned to that of the continued lawful transfer of personal data between the UK and Europe in the event of a no-deal Brexit and this continues to be a very relevant concern for organisations, particularly now that there are only weeks to go.

data brexitIn the event of a no-deal Brexit…

There are two considerations with respect to the transfer of personal data should the UK leave Europe without a deal in place, these are the way in which personal data is transferred:

  • from the UK; and
  • to the UK from Europe.

Whether you are transferring personal data from the UK, or receiving data from a country within the EEA, existing law continues to apply in that these personal data transfers will be lawful if they are covered by an adequacy decision, an appropriate safeguard or an exception.

Personal data transfers from the UK to Europe will continue to be unrestricted and so no further steps are necessary for UK organisations.

For now, there are no restrictions on personal data transfers from Europe to the UK.  This could change as, should the UK leave the EU without a deal in place, it will not automatically be considered to provide an adequate level of protection to personal data. Therefore, any transfer of personal data from a country within the EEA to a business in the UK will be deemed a restricted transfer and shall require additional safeguards in order to transfer that data in compliance with the GDPR. This will apply regardless as to whether the business transferring the data is a controller, a processor or a sub-processor and applies to all organisations whether they be large multi-nationals, small or medium enterprises (SME) or sole traders.

In view of this, emphasis within the ICO guidance is placed on both small and large organisations who may receive data from countries within the EEA. Specific guidance for SMEs has been recently updated and is available on the ICO website, as is additional guidance for large organisations. In both cases, the ICO suggests the most straightforward way to comply is to adopt the Standard Contractual Clauses.

What are the Standard Contractual Clauses (SCC)?

The SCC are sets of clauses for use by controllers of personal data when sending and/or receiving personal data to or from another controller or a processor under the GDPR. These clauses are European Commission approved and deemed to offer sufficient protection for such data transfers. There are two sets of clauses, one is for use between two controllers of personal data, the other set is for use between a controller and a processor.

Steps to take now:

  • Establish the effects of Brexit on your organisation – do you receive data from countries within the EEA?
  • If so, consider updating your existing contracts to include the SCC which will enable the continued transfer of data to your organisation.
  • Check with the organisation concerned, it may be, for example, that where it stores data on your behalf, it may agree to locate such storage facilities within the UK.
  • Should you currently transfer data from the UK to countries outside the EEA and you have no safeguards in place, consider adopting the SCC to lawfully transfer that personal data.
  • Should you have offices or a presence within Europe, ensure that their processing activities continue to comply with local data protection law.
  • Update your organisation’s privacy policy and any other relevant documents if required after Brexit.

Claire Halle-Smith is a commercial lawyer with Wright Hassall. She has a particular focus on data privacy, contract management and strategic planning for businesses