The Information Commissioner’s Office (ICO) is offering guidance on how UK organisations can operate if data transfers are blocked in the event of a No Deal Brexit.
While the UK implemented General Data Protection Regulation (GDPR) earlier this year, if the country leaves the European Union without a deal in place, this means the UK will be classed as a ‘third country’ until a data adequacy agreement can be made.
For UK Organisations, this means some data can be transferred from the UK to the European Economic Area (EEA).
However, under these circumstances, the flow of personal information from the EEA to the UK will cease until an adequacy agreement comes into effect.
This guidance has been issued amid ongoing uncertainty over the UK’s relationship with the EU post-Brexit, along with growing concerns over the government’s ability to secure an appropriate deal.
Currently, personal information between the UK and the EU flows unhindered due to the 27 nations’ adherence to EU standards. Additionally, the EU also accommodates for the flow of data between member states and non-EU nations through data adequacy decisions.
Arrangements of this scale will take time to implement, though, and are unlikely to be introduced before the March 2019 deadline set by the UK Government – providing Article 50 isn’t extended or withdrawn.
As such, the ICO has stated that UK businesses will need to consider their position and adapt operations to meet the changing standards which are likely to come into effect.
Information Commissioner Elizabeth Denham said: “The guidance we have produced will help organisations plan ahead and ensure that personal data continues to flow.
“We will be providing further information to the small number of organisations in the UK that rely on approved Binding Corporate Rules for their transfers to explains how they may be affected.
“We will continue to help all organisations understand how any future changes in data protection regulation will affect you and the measures you need to put in place.”
With a decreased data flow, public services across the UK – including a number of NHS Trusts and suppliers – could be disrupted. Many Trusts currently store data on AWS servers that are often EEA-based.
The ICO’s guidance underlines a number of key areas in which organisations must prepare and adapt accordingly to ensure minimal disruption.
This includes the continuation of GDPR compliance, reviewing organisation structure for European operations, reviewing privacy information and the assessment of transfers to and from the UK.
A core feature of this guidance proposes that UK businesses implement Standard COntractual Clauses with EU-based organisations or companies. The ICO has published an interactive walkthrough to help SMBs determine if these measures are suitable to implement.