On 31 October 2019 the UK is due to leave the EU, possibly without a deal, and businesses across the UK need to take steps to prepare for what will happen in the event of a No Deal Brexit.
If your business is reliant on the transfer of personal data from the EU, there are a couple of key changes that will affect the way in which you operate and will need to be addressed before 31 October as part of your overall Brexit strategy.
In a No Deal Brexit scenario, the UK will immediately leave the EU’s institutional structures and will no longer be part of the European Economic Area (EEA). Existing legislation allowing businesses operating within the EEA to freely share or transfer personal data to others also within the EEA will no longer apply.
This will not affect businesses transferring personal data from the UK to the EEA as the UK already recognises the EEA as a safe destination for the transfer of data.
The issue will arise where personal data transfers from the EEA to the UK. If the UK is no longer part of the EEA, it will be subject to strict data transfer rules. The EU will need to assess and determine the UK’s levels of data protection adequacy.
This assessment process can only be started when the UK leaves the EU and, although it is likely that the EU will determine the UK does have adequate levels of data protection, it is unclear how long it will take.
The consequences are significant. A UK business which imports personal data from the EEA will need to implement steps to safeguard that flow of data. One way to manage this is to adopt what have been referred to as ‘Standard Contractual Clauses’. These are additional contractual clauses which govern how personal data may be processed and must be entered into in addition to whatever wider contract is already in place.
A further area of concern is that it is unclear at the moment whether UK businesses relying on consent for the processing of EU personal data (e.g. in relation to customers) can continue to do so following a No Deal Brexit where the consent was obtained while the UK is still part of the EU. It may be necessary to seek consent again.
As with many aspects of Brexit preparation, these issues are complex and require careful legal analysis of your existing arrangements. There are steps that you can take to protect your business, but it is crucial you speak to the right person and get the correct advice.
If you are in any doubt about compliance with your data protection responsibilities, or would like advice regarding measures that will need to be implemented in the event of a No Deal Brexit, please contact Andrew Sparrow at Andrew.firstname.lastname@example.org or Charlie Pattihis at Charlie.email@example.com.
Alternately, please don’t hesitate to call our corporate legal specialists on 020 7822 4000.