The Good Old Days
The safe free flow of people, goods and services around Europe has been more or less a given for nearly 50 years. The same could not be said for data until the introduction of the General Data Protection Regulation (GDPR) a year and a half ago. Before the introduction of this regulation, data was flowing freely around Europe but in a fragmented regulatory space wide open to abuse.
Following the launch of the GDPR, all EU member states were required to comply, requiring all EU organisations, in turn, to follow suit. Those same organisations received benefits in return, most notably increased consumer trust regarding the handling of personal data. Data subjects, of course, received the greatest benefit, a tightening of controls regarding how their data could be used.
With Brexit (probably) just around the corner (or not) the future freedom of UK organisations to transfer data to and from the EU is uncertain. If a Brexit deal is struck which brings UK and EU data protection regulation into accord, we’re in the clear. In all other cases, there are a couple of important things to know (plus a caveat, see below).
Most importantly, don’t panic!
Most importantly, don’t panic. Stay calm and wait and see. There’s a slim chance that there will be no Brexit, and if there is, the UK government may well strike a good and timely deal including data protection provisions.
The ICO, who enforce the UK’s long-standing data protection regulations, are making it clear that they intend to continue to implement the GDPR no matter what. The UK might, therefore, receive a swift adequacy decision (a data protection thumbs-up) from the EU following a no-deal Brexit.
Since we have no way of knowing, we’d do well to just wait and see.
Secondly, prepare (just a little) for a no-deal Brexit.
Sending personal data to the EU
No matter what happens you’ll still be able to send personal data to the EU. The UK government has stated that “In recognition of the unprecedented degree of alignment between the UK and EU’s data protection regimes, the UK would at the point of exit continue to allow the free flow of personal data from the UK to the EU.”
Receiving personal data from the EU
Following a no-deal Brexit, reception of personal data from the EU, however, will be adversely affected.
Therefore, initially, make sure you do receive personal data from organisations or individuals within EU member states. If not, no worries, you’re golden.
If you do then your organisation is going to need to understand what standard contractual clauses are. Because, if no timely adequacy decision is forthcoming, you’ll need to implement these in contracts with any entity from any EU member state sending you personal data. It’s also probably worth your while reckoning the operational and legal costs for implementing standard contractual clauses in all relevant contracts should that become necessary.
For the vast majority of UK organisations, the above covers it. For now, just prepare a little and wait and see.
Pragmatic are neither lawyers nor regulatory experts. For a legally certified understanding you should consult legal or regulatory professionals and read the ISO’s extensive advice and suggestions. This is particularly important if you regularly handle special categories of personal data or rely on the EU-US Privacy Shield for any of your data processing. In such cases, under any kind of Brexit, you may have significant additional requirements to take care of.