On 29th of March, as things stand at the time of writing, the UK will be leaving the EU (some of our intrepid Microsoft Dynamics 365 experts will hopefully have just returned home after making the most of our final day of EU membership attending CRMUG Summit EMEA in Amsterdam!). If that ends up being without a deal, that could end up having implications for UK companies transferring data across national boundaries. It might not be caught up in a lorry park in Kent, but without a bit of preparation, you could find your data transfers being impacted.
While GDPR and its implementation in the UK has been the focus for over a year – and whatever happens with Brexit it will remain in effect in the UK – we may now need to think of ourselves as outsiders with respect to the EU GDPR.
WE ARE NOT LAWYERS! None of this article is legal advice, contact your legal advisor if you need more details. Also, see the ICO articles on Brexit. There’s also some more background and comment on the BBC site.
From the time of Brexit, any data flowing from the EU to the UK would need to be treated in the same way as any data currently flowing from the EU (including the UK) to other third countries such as the US. Broadly, this will mean that either:
- The EU makes an “adequacy decision”, essentially stating that the UK data protection regime is at least as strong as those in the EU. As GDPR is to be retained in the UK there should be no reason this won’t be forthcoming eventually, but may take some time.
- You should implement standard contractual clauses – text defined by the ICO to add into your contracts to ensure data protection safeguards. This will likely be the short-term solution for most SMEs, and can be obtained from the ICO
- Larger organisations that will still have a presence in the EU can use binding corporate rules to demonstrate their data protection compliance worldwide
Data transfers from the UK to the EU will not be impacted, as the government has already confirmed that they will not be introducing any additional regulations on this. However, you may need to update your documentation such as privacy notices to make it clear where personal data is being sent. You may also have contracts in place stating that data will not leave the EU, which may need to be updated to include the UK.
So far, so good – if you’re dealing with the UK and EU then there might be a bit more paperwork to do, but hopefully not too much of a problem if you’re prepared. But what about other countries? While our focus has been on the EU and GDPR, other countries have been busy implementing their own data protection legislation. In particular, Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland, Uruguay, and USA currently have adequacy decisions from the EU to some extent, indicating they have similar data privacy protection as GDPR. As such, they will have similar restrictions on the transfer of personal data, and while part of the EU the adequacy decisions will have permitted the transfer of data from these countries to the UK. When we are outside the EU, the UK will need to renegotiate those arrangements as well as that with the EU itself, so you should take advice from the authorities in those countries.