Update (10 September 2019): We have refocused our data protection guidance for a no-deal Brexit so that it better addresses the needs of small organisations. We’ve taken many of the key points from the ‘6 steps’ guidance and included them in our new guidance for small organisations. In order to avoid any confusion we have removed the ‘6 steps’ guidance from the ICO website.
Information Commissioner Elizabeth Denham sets out how the ICO is helping businesses, particularly SMEs, prepare for a possible no-deal Brexit
13 December 2018
The basis on which the UK will leave the EU has still to be decided.
The Government has made clear that the General Data Protection Regulation (GDPR) will be absorbed into UK law at the point of exit, so there will be no substantive change to the rules that most organisations need to follow.
But organisations that rely on the transfers of personal data between the UK and the European Economic Area (EEA) may be affected.
Personal information has been able to flow freely between organisations in the UK and European Union without any specific measures. That’s because we have had a common set of rules - the GDPR.
But this two-way free flow of personal information will no longer be the case if the UK leaves the EU without a withdrawal agreement that specifically provides for the continued flow of personal data.
In this event, the Government has already made clear its intention to permit data to flow from the UK to EEA countries. But transfers of personal information from the EEA to the UK will be affected.
We have published guidance and practical tools to help organisations understand the implications and to help you plan ahead. These comprise:
- a ‘Six Steps to Take’ guide;
- broader guidance on the effects of leaving the EU without a withdrawal agreement, and
- a general overview in the form of Frequently Asked Questions.
We know that many organisations have already been making preparations in case the UK leaves the EU without a withdrawal agreement in place. This includes those that are involved in transfers of personal data to and from the EEA. If your organisation hasn’t yet, our ‘Six Steps to Take’ guide is a good place to start. It’s designed to help all organisations make the precautionary preparations that will help ensure these data flows continue.
Organisations will need to carefully consider alternative transfer mechanisms to maintain data flows and the guidance we have produced will help you weigh the options and take action if this proves necessary.
Standard Contractual Clauses
Many may decide that one potential solution is to put in place what are known as Standard Contractual Clauses between themselves and organisations outside the UK. We have produced a straightforward, interactive guide to take you through that process. Particularly aimed at small and medium sized organisations, it will help you decide if Standard Contractual Clauses are relevant and will minimise the expense of putting them in place. It already includes help with completing the clauses, but we will be making further developments in the next few weeks to incorporate an online tool to help organisations generate them automatically.
Transfers on the basis of a European Commission adequacy decision
The Government has also made clear its intention to seek adequacy decisions for the UK. An adequacy agreement would recognise the UK’s data protection regime as essentially equivalent to those in the EU. It would allow data flows from the EEA and avoid the need for organisations to adopt any specific measures. But any such adequacy decisions will not be in place before the UK leaves the EU (and will take time to conclude). However, organisations need to consider their circumstances and what transfer mechanisms are appropriate.
The guidance we have produced will help organisations plan ahead and ensure that personal data continues to flow. We will be providing further information to the small number of organisations in the UK that rely on approved Binding Corporate Rules for their transfers to explain how they may be affected. We will continue to help all organisations understand how any future changes in data protection regulation will affect you and the measures you need to put in place.
Elizabeth Denham was appointed UK Information Commissioner on 15 July 2016, having previously held the position of Information and Privacy Commissioner for British Columbia, Canada.