There is no doubt that Brexit will have implications on data protection in the UK but these implications will largely depend on the type of deal that is reached between the UK and the European Union. As uncertainty over what type of deal will be agreed, organisations are encouraged to ensure that they have the correct policies and procedures in place to ensure an adequate level of protection. In the event of a no deal scenario, the obligations of data controllers and data processors will not change, and the ICO will remain the independent regulator for data protection in the UK but EU law will require us to put in place additional measures to make data transfers from the EU to the UK lawful.
Under the current GDPR rules, organisations are only permitted to transfer personal data outside the EU if there is a legal basis for doing so. Post-Brexit and in the event of a no deal Brexit and as confirmed by the European Data Protection Board, the UK will be treated as a “third country” and personal data transfers from the EU to the UK will be “restricted” pursuant to Chapter Five of the GDPR. In this scenario, specific safeguards will need to be adopted to support the lawful transfer of personal data to the UK. The Government and the ICO continue to encourage organisations to be aware of this risk and to be prepared to adopt the necessary appropriate safeguards.
Last year the Government published a technical guidance entitled “Data protection if there is no Brexit deal”. In the event that Britain leaves the European Union without a deal in place, the free flow from the UK to the European Economic Area (‘EEA’) will remain uninterrupted. This is because the UK will continue to recognise all EEA states, EU and EEA institutions, and Gibraltar as providing an adequate level of protection for personal data. In essence, personal data can therefore continue to flow freely to the above mentioned destinations on our exit from the EU.
However in the event of a no deal Brexit, the data flow to the UK from jurisdictions outside of the UK will be disrupted. These jurisdictions will provide their own rules on international data transfers and it is therefore paramount that UK organisations work with their EU counterparts to make sure that there are alternative mechanisms in place to allow data flow to the UK. These alternatives include:
- Existing EU adequacy decisions
- EU standard contractual clauses
- Binding Corporate Rules
Organisations should continue to monitor the UK Government’s and the ICO’s website for further information.
For further information on the alternatives, please contact our data protection team.