The Information Commissioner publishes practical advice
As we all know, the GDPR came into force in May last year and it required us all actively to consider the manner in which we deal with personal data. One of the focus points is how we transfer personal data to companies outside of the EEA and the requirement for safe guarding such transfers.
On 29th March 2019 (or, in the event of a delay, such date as we leave the EU), the UK will acquire ‘third country status’ having left the EU and accordingly, the GDPR will impose restrictions on transfers of personal data from the EEA to businesses and organisations in the UK and visa versa. It is hoped that, given that the UK has implemented GDPR and its own Data Protection Act 2018 which means that we have data protection laws which are in line with the EU Commission, the UK will be granted an ‘adequacy decision’ by the EU Commission. This will mean that we can continue to transfer personal data into the EEA in compliance with our own laws.
However, such decision can only be considered once we have left the EU and it will, in the manner of all things legislative, take time. In the meantime, UK businesses will need to assess whether they will need to make new arrangements in the event of a no-deal Brexit to ensure that they can continue to transfer and receive transfers of personal data to and from organisations based in the EEA.
The Information Commissioner (IC), Elizabeth Denham, has published a blog giving some myth busting advice for UK based small and medium sized businesses in connection with transferring personal data to and from the EEA in the event of a no-deal Brexit. In the absence of the expected detailed guidance from the European Data Protection Board on international transfers of personal data, this is a useful steer from the IC on adjustments to data transfer arrangements necessitated by Brexit which will be welcomed by UK businesses.
If you are concerned, or if you would like further guidance on this or other data protection matters, please contact a member of the Data Protection team; Laura Trapnell; Crispin Dick or Ryan Mitchell.