Data protection if there’s no Brexit deal
On the 13 September 2018, the Department for Digital, Culture, Media & Sport published a notice. This set out the actions that UK organisations should take to enable the continued flow of personal data between the UK and the EU if there is no agreement in place by March 2019.
The rules governing the collection and use of personal data are currently set at an EU-level by the General Data Protection Regulation (GDPR) which is supplemented in the UK by the Data Protection Act 2018 (DPA 2018). Under the current arrangements, organisations are only permitted to transfer personal data outside the EU if there is a legal basis for doing so, whilst transfers within the EU are not restricted.
Following the UK’s exit from the EU, the Government has confirmed that there will be no immediate changes to the UK’s own data protection standards. The EU Withdrawal Act will incorporate the GDPR into UK law and it will continue to sit alongside the DPA 2018. However, should no agreement be reached, there will be a change in the legal framework which governs the transfers made by organisations ( or subsidiaries) established in the EU, to organisations established in the UK.
Transfers from the UK to the EU
The UK Government’s position is that in recognition of the unprecedented degree of alignment between the UK and EU’s data protection regimes, organisations will continue to be able to transfer personal data from the UK into the EU unchecked and no restrictions will be put in place at the point of the UK’s exit.
Transfers from the EU to the UK
The EU already has in place an established mechanism to enable the free flow of personal data to countries outside the bloc, namely where an adequacy decision is made by the European Commission in relation to that country.
The Commission has stated that if it deems the UK’s level of personal data protection equivalent to that of the EU, then it would make an adequacy decision allowing for the unimpeded transfer of personal data to the UK. However, although the UK has made it clear that it is willing to begin preliminary discussions on an adequacy assessment prior to its exit from the Union, the Commission has refused to indicate a timetable for talks and has declared that no decision can be taken until the UK is a third country.
If the Commission does not make an adequacy decision at the point of the UK’s exit, and an organisation wants to receive personal data from partners established in the EU, then they will need to identify, alongside their European counterparts, a legal basis for the transfer. For the majority of organisations, the most appropriate and relevant legal basis will be “standard contractual clauses”. These are model data protection clauses approved by the European Commission that enable the free flow of personal data when embedded into a contract. They impose obligations on both parties as well as conferring rights on the individuals whose personal data is transferred. In other circumstances a derogation may be relied upon, for example where the transfer is made with the data subject’s consent or the transfer is necessary to perform a contract.
The Department for Digital, Culture, Media & Sport has recommended that organisations proactively consider what actions they may need to take to ensure the free flow of data in the event of a no-deal Brexit. Greenwoods GRM can advise you on the various options available and the steps you need to take to ensure that your data flows are not disrupted.
If you have any concerns about how this may affect your business, please get in touch with our team.
This update is for general purposes and guidance only and does not constitute legal or professional advice. You should seek legal advice before relying on its content. For advice, get in touch with your usual Greenwoods GRM contact or scroll down to complete our enquiry form.