ICO Warns UK to Prepare for Brexit "No Deal" Data Flows

Written by

The UK’s privacy regulator has warned businesses to prepare now for a potential Brexit 'no deal,' claiming they may have to put in place standard contractual clauses to ensure unhindered data flows.

With Theresa May’s government still refusing to rule out the prospect of allowing the country to exit the EU without a deal, businesses should get to planning their response, argued information commissioner, Elizabeth Denham.

Although London will allow personal data flowing from the UK to European Economic Area (EEA) countries unhindered, the same will not be true of data coming into the UK, meaning businesses should start by mapping data flows.

“You need to assess whether your business involves transfers of personal data, such as names, addresses, emails and financial details to and from the EEA and if this is going to be lawful in the case of ‘no deal’,” said Denham.

“It is the responsibility of every business to know where the personal data it processes is going, and that a proper legal basis for such transfers exists.”

Even companies transferring data to and from parent organizations in Europe will need to put in place additional measures, with standard contractual clauses mentioned several times in the blog post.

“There are many mechanisms companies can use to legitimize the transfer of personal data with the EEA and standard contractual clauses is one of those. We have produced an online tool to help organisations put contract terms in place providing the lawful basis for the data transfers. Companies that need to act would also benefit from Leaving the EU - six steps to take guidance for more information,” said Denham.

“You know your organization best and will be able to use our guidance to assess if and how you need to prepare. Alternative data transfer mechanisms exist but it can take time to put those arrangements in place.”

Companies expecting an “adequacy” decision to be made on exit day to ensure unhindered data flows will also be disappointed, said Denham.

Negotiations to secure this will take “many months” and can only begin once the UK has left the EU, so alternative arrangements like standard contractual clauses will need to be put in place in the meantime.

The complexity, extra cost and effort required for firms to replace existing rules and frameworks is a microcosm of the Brexit process in general, which one former WTO boss described as being “as difficult as removing an egg from an omelette.”

What’s hot on Infosecurity Magazine?