Transferring data after a no-deal Brexit

by Nicholas King on January 15, 2019

The past two years of Brexit negotiations have
largely proved the late William Goldman’s adage that “nobody knows anything”.
No one can tell you what Brexit will entail, very little has been finalised and
there’s a real possibility that the UK will exit the EU without a formal
agreement.

Amid all this uncertainty, you might be surprised
to learn that that the UK government does have a plan for protecting personal
data if the UK can’t negotiate a deal by 29 March 2019.

“Data
protection if there’s no Brexit deal”
outlines what will happen in that scenario, reflecting the reality that the
free flow of personal data between the UK and the EU is vital to maintaining
the relationships that are essential to the economy and security.

The
‘No Deal’ framework

The European Union (Withdrawal) Act 2018 will incorporate the GDPR (General Data Protection Regulation ) into UK law post Brexit. The government will then have the power to make appropriate amendments to ensure that it works effectively in a UK context.

The UK government’s website provides a full list of amendments to UK data protection law in the event of a no-deal Brexit.

Data
controllers and data subjects: The
responsibilities of data controllers will remain the same, and data subjects
will continue to benefit from the same high levels of data protection as they
do now.
Data
transfers from the UK to EEA (European Economic Area) countries: The UK will “transitionally recognise” all EEA countries (and
Gibraltar) as providing an adequate level of protection for personal data,
allowing organisations to transfer data freely. The UK would keep all of these
decisions under review.
Data
transfers from the EU to the UK:
Each EU member state will have to provide their own rules for transferring data
to the UK. Organisations in the UK that rely on data transfers from the EU
should work with their EU counterparts to make sure alternative mechanisms for
transfers (such as standard contractual clauses) are in place.
Existing
EU adequacy decisions: The UK government intends to
preserve the effect of adequacy decisions made regarding a country or territory
outside the EU. This means that transfers from UK organisations to adequate
countries can continue uninterrupted. The EU
Commission has so far recognised Andorra,
Argentina, Canada (commercial organisations), the Faroe Islands, Guernsey,
Israel, the Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US
(limited to the Privacy Shield framework).
Recognising
EU SCCs (Standard Contractual Clauses):
Provisions will be made so that the use of SCCs that have previously been
issued by the European Commission will continue to be an effective basis for
international data transfers from the UK. Under the proposed regulations, the
ICO (Information Commissioner’s Office) will have the power to issue new SCCs
after the UK leaves the EU.
BCRs
(Binding Corporate Rules): Existing BCRs will continue to be
recognised after Brexit, and the ICO will retain its ability to authorise them.
Maintaining
the GDPR’s extraterritorial scope: The
GDPR applies to all organisations that process EU residents’ information,
regardless of where they are based. The UK government will retain this scope
regardless of whether a Brexit deal has been reached.
UK
representation for controllers: The
UK government will replicate the GDPR’s requirements for controllers based
outside the EEA to designate an EEA representative.

As this list shows, things won’t change too much in
the event of a no-deal Brexit, but one big requirement is the need for an
EEA-based representative.

Find out more

To learn more about our range of tools and protecting your organisation
from a data breach, watch our short introductory
videos: vsRisk Cloud,
the Data Flow Mapping Tool, the DPIA Tool and Compliance Manager. And to pre-register for our new solution GDPR
Manager, click
here.

To request a demonstration of any of our tools,
please click here.