The government must prepare for every eventuality as we prepare to leave the EU on the 29thMarch 2019, including a no deal scenario.
It has always been the case that as we get nearer to this date, preparations for a no deal scenario would have to be accelerated and the government must ensure plans are in place.
In the summer, the government published a series of technical notices setting out information to allow businesses and citizens to understand what they would need to do in a no deal scenario, so they can make informed plans and preparations.
There are actions UK organisations should take to enable the continued flow of personal data between the UK and the EU in the event that the UK leaves the EU in March 2019 with no agreement in place.
Before the 29th March 2019
Rules governing the collection and use of personal data are currently set at an EU-level by the General Data Protection Regulation (GDPR). In the UK, the Data Protection Act 2018 and the GDPR provide a comprehensive data protection framework. Most other EU countries have their own supplementary legislation.
Under GDPR rules, organisations are only permitted to transfer personal data outside the EU if there is a legal basis for doing so and appropriate measures are in place. Transfers of personal data within the EU are not restricted.
After March 2019 if there’s no deal
If the UK leaves the EU in March 2019 with no agreement in place regarding future arrangements for data protection, there would be no immediate change in the UK’s own data protection standards. This is because the Data Protection Act 2018 would remain in place and the EU Withdrawal Act would incorporate the GDPR into UK law to sit alongside it.
However, the legal framework governing transfers of personal data from EU organisations to UK organisations would change upon exit.
UK businesses will therefore need to take action to ensure EU organisations are able to continue to send them personal data.
What you will need to do
The EU has an established mechanism to allow the free flow of personal data to countries outside the EU; an adequacy decision. The European Commission has stated that if it deems the UK’s level of personal data protection is equivalent to that of the EU, it will make an adequacy decision allowing the transfer of personal data to the UK without restriction.
The European Commission has not yet indicated a timetable for this and have stated that the decision on adequacy cannot be taken until the UK has left the EU.
If the European Commission does not make an adequacy decision regarding the UK at the point of exit and a business wants to receive personal data from organisations established in the EU (including data centres) then it should consider assisting their EU partners in identifying a legal basis and controls for those transfers.
For the majority of organisations, the most relevant option would be standard contractual clauses. These are model data protection clauses that have been approved by the European Commission and enable the free flow of personal data when embedded in a contract.
The clauses contain contractual obligations for the business and their EU partner and rights for the individuals whose personal data is being transferred.
We recommend that you proactively consider what action you may need to take to ensure the continued free flow of data with EU partners.
Further detail on the availability of each legal basis, and the processes associated with making use of them, is available from the Information Commissioner’s website.