Legal News | 17.10.19
The Impact of Brexit on Data Protection
This article details the changes to data protection in a no-deal Brexit.
What will remain the same after a no-deal Brexit?
There will be no immediate change to the UKs data protection standards. The General Data Protection Regulations (GDPR) has been brought into UK law and the Information Commissioner will remain the UK’s independent supervisory authority on data protection. The UK is a global leader in strong data protection standards. Protecting the privacy of individuals will continue to be a priority. The UK government has committed to allow personal data to continue to flow freely to the EU, EEA and adequate third countries without restrictions.
What will change in a no-deal Brexit?
When the UK leaves the EU, we will become a third country under GDPR. Transfers from the EEA will become restricted and require additional legal safeguards. As an external country, we will need what is called an adequacy ruling showing our data protection standards are suitable, but this is not likely to be agreed upon until at least 12 months post Brexit. Instead, UK and EU organisations will need to ensure their data transfers are lawful through additional steps. The transfer of data from the UK to the EU will not be an issue as the UK has deemed the EU as having suitable data protection standards. However, if you transfer data from the EU to the UK then you will have to review your contracts and include Standard Contractual Clauses or other Alternative Transfer Mechanisms to ensure you can continue to legally receive personal data.
How can personal data flow?
Examples of the ways personal data can flow include:
- Addresses in delivery details;
- Bank accounts in order details;
- Personnel files by outsourcing HR responsibilities;
- Names and addresses of partners, re-sellers;
- Intra-company transfers of customer details; or
- Intra-company transfers by HR or personnel details
What do you need to do to prepare?
- Find out if your organisation receives personal data from the EU/EEA;
1a. You may want to prioritise transfers of large volumes of data, transfer of special category data or criminal convictions and offences data and your business critical transfers;
1b. Consider how you may continue to receive these transfers lawfully after exit date. The simplest way to provide a safeguard is to enter into standard contractual clauses with the sender;
- Identify if you transfer large volumes of special category data or criminal convictions and offences data as part of your business critical transfers;
- Identify if your transfer large volumes of personal data as part of your business critical transfers;
- Consider the safest way to continue these transfers lawfully.
How can we help?
- We can discuss the requirements your business has for transfers of personal data;
- Review your procedure, to ensure they are compliant;
- Provide an updated privacy notice for your employees;
- Provide an updated data protection policy, outlining your employees obligations when they are processing personal data;
- Update your employment contract.
To contact us, please call us on 01380 733300 or email us at firstname.lastname@example.org