ICO Urges Businesses To Prepare For No-Deal Brexit

In a Westminster eForum event on GDPR practice in London, the director of strategic policy at the Information Commissioner’s Office, Jonathan Bamford, is reported to have urged businesses to prepare for a no-deal Brexit in terms of planning to stop interruption in data flows from Europe.

Why?

As explained by parliament.uk, three-quarters of the UK’s cross border data flows are with EU countries, and when the UK leaves the EU, it will leave the legal framework for moving data between the UK and the EU. This means that businesses may need to act to make sure that data flows can continue uninterrupted between the UK and the EU.  With a no-deal Brexit, this is going to be of particular importance because there may be no ‘adequacy agreement’ in place for some time.

What Is An Adequacy Agreement?

A decision of adequacy/adequacy agreement is made by the EC if they consider a country outside of the EU, which the UK will be after 29th March, as somewhere that provides a level of protection which is equivalent to that of the EU.  A 'decision of adequacy' will allow data to flow into and out of the EU without the need for other safeguards.

Unfortunately, if there is a no-deal Brexit, and there is no adequacy decision in place for some time, businesses and institutions may find themselves having to use alternative legal mechanisms that could be bureaucratic, costly, and could cause delays.

Not In Place Before Brexit

The ICO has warned that an adequacy agreement will not be in place before Brexit, hence the need for businesses to think about making some plans.

What Sort of Things May Be Affected?

Examples of things businesses may need to consider in order to maintain data flow post-Brexit include:

  • Organisations that receive data from Europe, and use cloud services based within the EU may need to think about what risks and disruption they could face if no adequacy agreement is in place, and what other mechanisms and agreements they may need to seek.
  • Finding out where company data is stored and who has access to it may be an issue.  Is your data stored in the UK or EU? There is also a need to understand data flow.
  • Possibly needing to renegotiate data services supplier contracts for GDPR (as some banks have done).
  • Global organisations operating in multiple jurisdictions may need to look at how data is transferred within their organisation and whether corporate rules need to be changed.
  • Organisations may need to look at where their riskiest and/or more important data transfers are, and plan to get Standard Contractual Clauses (SCCs) implemented i.e. contractual forms approved by the EU Commission as offering adequate protection for the personal data of individuals.

Absorbed in UK Law

For most businesses, because GDPR will be absorbed into UK law at the point of Brexit, there should no major changes to the basic data rules that businesses need to follow.

Approved Industry Codes
Some business commentators have suggested that data transfers to 'third countries' could be carried out under an EDPB (European Data Protection Board) approved industry code if there was no adequacy agreement in place. This, however, looks unlikely to materialise in time for Brexit.

What Does This Mean For Your Business?

The UK must be able to move data between itself and the EU in order to maintain a healthy trading relationship after Brexit.  Also, UK citizens need to be assured that their personal data will be safeguarded after the UK leaves the EU.  Yes, GDPR will be absorbed into UK law as the Data Protection Bill on leaving the EU, which should bring satisfactory parity between UK and EU data laws, but it is worrying to think that UK businesses (and consumers) could be exposed to risks because there is unlikely to be an adequacy agreement in place for some time. 

A no-deal Brexit could, therefore, threaten post-Brexit data and create more bureaucracy for UK businesses that will need to work to ensure that they are seen to be ‘safe importers’ of data in data transfers agreements.

This is a complicated-enough subject for businesses anyway without considering the need to look at more pieces of the puzzle.  Businesses can find more information on the subject by studying the ICO’s guidance on ‘Data Protection if There’s No Brexit Deal’ here: https://ico.org.uk/for-organisations/data-protection-and-brexit/data-protection-if-there-s-no-brexit-deal/  and by studying the ICO’s ‘Leaving the EU – Six Steps To Take’ here: https://ico.org.uk/media/2553958/leaving-the-eu-six-steps-to-take.pdf.