From 1st January 2021, free movement for EU nationals will end and a new points-based immigration system will come in. The main change of the new system is that it will treat EU and non-EU citizens equally and significantly change the way in which migrants...
The ICO (Information Commissioner’s Office) has published Brexit guidance for UK businesses and organisations who transfer data with Europe. If your business sends or receives personal data to and from Europe, this is the essential information you need to make sure you continue complying with the law after Brexit.
On 31 October 2019, Brexit was delayed for the third time further extending the insecurity looming over our lives. Firmly under this shadow are UK businesses, particularly small to medium enterprises, which face a multitude of challenges including compliance with data protection laws and regulations.
Sharing the personal data of customers, clients, and employees is vital to the legitimate operation of any business. Thankfully, even a hard Brexit will not stop your business transferring data altogether. However, if you send and/or receive personal data to and from Europe, it is important to take steps to ensure you can continue to transfer data after Brexit (particularly a no deal Brexit) without any interruption to your business.
Transferring data to and from Europe after Brexit
The ICO’s general guidance for UK businesses is to continue complying with the GDPR (General Data Protection Regulation). Although the GDPR is a piece of EU law, businesses which continue to work with companies and individuals in the EU will need to comply regardless of the data protection laws in the UK. The Government has also stated it intends to incorporate the GDPR into UK legislation alongside the Data Protection Act 2018.
Despite all the uncertainty surrounding Brexit, the Government has made it clear that data can continue to flow from the UK to countries in the EEA (European Economic Area) after we leave the EU without any extra steps being taken.
However, data received from the EEA will be affected by a hard “no deal” Brexit. For example, if you are an online retailer collecting the personal details of customers in the EEA, you will need a special agreement to comply with data protection laws.
Action needed for data transfers to the EEA
For personal data being transferred to the EEA from the UK, the Government states there will be no restrictions or additional action needed after Brexit. This is because the UK has established it is happy with the EU’s standards of data protection.
Action needed for data transfers from the EEA
If we leave the EU without a deal, the UK will need an “adequacy” ruling from the European Commission to demonstrate the EU has determined that our data protection regime is equivalent to theirs. This could take many months and, until an adequacy ruling is in place, businesses need to take steps to ensure they can legally receive personal data from the EEA.
To continue receiving data from the EAA, you need to review your contracts and enter into special agreements with your European customers, supplies, and other business associates. This is less burdensome than it sounds. For most businesses, Standard Contractual Clauses (SCCs) will be most appropriate, particularly for small to medium businesses.
SCCs are European Commission issued contractual terms and conditions which the sender and receiver of personal data must both agree to. They are designed to protect personal data when it is sent outside of the EEA and the coverage of the GDPR.
Does your business need advice about getting ready for Brexit?
At Harold Benjamin, our data protection solicitors can help you prepare your business for Brexit. Our services include advice on data protection regulation and compliance, contract review, advice on SCCs, alternative transfer methods, and general advice on international transfers of personal data.
We aim to develop close, personal relationships with our clients, developing an understanding of your commercial goals and advising strategically. Our specialist lawyers take a holistic approach to business law matters and as well as data protection, we can provide advice on all associated matters, including tax, trade, employment law, and more.