Transferring data after a no-deal Brexit

The past two years of Brexit negotiations have
largely proved the late William Goldman’s adage that “nobody knows anything”.
No one can tell you what Brexit will entail, very little has been finalised and
there’s a real possibility that the UK will exit the EU without a formal

Amid all this uncertainty, you might be surprised
to learn that that the UK government does have a plan for protecting personal
data if the UK can’t negotiate a deal by 29 March 2019.

protection if there’s no Brexit deal

outlines what will happen in that scenario, reflecting the reality that the
free flow of personal data between the UK and the EU is vital to maintaining
the relationships that are essential to the economy and security.

‘No Deal’ framework

The European Union (Withdrawal) Act 2018 will incorporate the GDPR (General Data Protection Regulation) into UK law post Brexit. The government will then have the power to make appropriate amendments to ensure that it works effectively in a UK context.

The UK government’s website provides a full list of amendments to UK data protection law in the event of a no-deal Brexit.

  • Data
    controllers and data subjects
    : The
    responsibilities of data controllers will remain the same, and data subjects
    will continue to benefit from the same high levels of data protection as they
    do now.
  • Data
    transfers from the UK to EEA (European Economic Area) countries
    : The UK will “transitionally recognise” all EEA countries (and
    Gibraltar) as providing an adequate level of protection for personal data,
    allowing organisations to transfer data freely. The UK would keep all of these
    decisions under review.
  • Data
    transfers from the EU to the UK
    Each EU member state will have to provide their own rules for transferring data
    to the UK. Organisations in the UK that rely on data transfers from the EU
    should work with their EU counterparts to make sure alternative mechanisms for
    transfers (such as standard contractual clauses) are in place.
  • Existing
    EU adequacy decisions
    : The UK government intends to
    preserve the effect of adequacy decisions made regarding a country or territory
    outside the EU. This means that transfers from UK organisations to adequate
    countries can continue uninterrupted. The EU
    Commission has so far recognised
    Argentina, Canada (commercial organisations), the Faroe Islands, Guernsey,
    Israel, the Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US
    (limited to the Privacy Shield framework).
  • Recognising
    EU SCCs (Standard Contractual Clauses)
    Provisions will be made so that the use of SCCs that have previously been
    issued by the European Commission will continue to be an effective basis for
    international data transfers from the UK. Under the proposed regulations, the
    ICO (Information Commissioner’s Office) will have the power to issue new SCCs
    after the UK leaves the EU.
  • BCRs
    (Binding Corporate Rules)
    : Existing BCRs will continue to be
    recognised after Brexit, and the ICO will retain its ability to authorise them.
  • Maintaining
    the GDPR’s extraterritorial scope
    : The
    GDPR applies to all organisations that process EU residents’ information,
    regardless of where they are based. The UK government will retain this scope
    regardless of whether a Brexit deal has been reached.
  • UK
    representation for controllers
    : The
    UK government will replicate the GDPR’s requirements for controllers based
    outside the EEA to designate an EEA representative.

As this list shows, things won’t change too much in
the event of a no-deal Brexit, but one big requirement is the need for an
EEA-based representative.

Find out more

To learn more about our range of tools and protecting your organisation
from a data breach, 
watch our short introductory
videos: vsRisk Cloud,
the Data Flow Mapping Tool, the DPIA Tool and Compliance Manager.  And to pre-register for our new solution GDPR
Manager, click

To request a demonstration of any of our tools,
please click here.

*** This is a Security Bloggers Network syndicated blog from Vigilant Software Blog authored by Nicholas King. Read the original post at: