The Information Commissioner’s Office (ICO) has recently released guidance to help small to medium-sized UK organisations prepare for a no-deal Brexit. If you send personal data from the UK to the European Economic Area (EEA) then you will not need to take additional steps to ensure the data continues to flow after Brexit because the UK government has said that transfers to the EEA will not be restricted.
However, if you receive personal data from the EEA, you will need to take steps to ensure that the personal data continues to flow after Brexit. In the majority of cases, this is best done by putting in place a contract between you and your contact based in the EEA on EU-approved terms known as standard contractual clauses (SCCs) which provide for appropriate safeguards when transferring personal data to a third country or an international organisation. The SCCs will need to be put in place before the date on which the UK leaves the EU without a deal. However, if you do not have the power to enter into a binding contract, then the ICO suggests entering into an administrative arrangement that includes enforceable and effective rights for the individuals whose personal data is being transferred. The European Data Protection Board is intending to publish further guidance on administrative arrangements in due course.
If you have an office, branch or other established presence in the EEA, or if you have customers in the EEA, you will need to comply with both UK and EU data protection legislation after Brexit. This means you may need to designate a representative in the EU.
Finally, it is important to remember to review and update your privacy information and documentation for any changes that will need to be made after Brexit.
For more information please get in touch with one of our information law experts: