Data Protection: Take steps now to prepare for no-deal Brexit
7th February, 2019
As Brexit grows ever closer, businesses must ensure that they have plans in place for the changes to the data protection landscape brought about by a no-deal exit.
This is vital, particularly for businesses that are active in providing goods or services to customers in the EU, or where they have European operations (such as subsidiaries, branch offices or agents located within the EU).
Businesses that rely on US suppliers’ registration in Privacy Shield may also be affected, as the protections that currently ensure the legality of transatlantic data transfers will not automatically extend to the UK.
In the event of a no-deal Brexit, the UK will become a “third country”, outside the umbrella of EU data protection law. Sometimes referred to as a “data cliff edge”, this change will severely limit the ability of businesses to transfer personal data from within the EU to the UK, and in turn from the UK to other third countries. To prepare for a no-deal Brexit, businesses must consider a range of issues, including:
- The need to put in place approved contractual terms to allow the free flow of data post-Brexit;
- The need to appoint a representative in the EU where required under EU data protection law;
- The need to consider which EU data protection authority will take the lead in overseeing an organisation’s European operations; and
- The need to review and revise internal documents, policies and practices to reflect the changed legal landscape.
Given the recent introduction of GDPR and the significant efforts businesses expended to ensure compliance, it would be understandable for some degree of “fatigue” to be experienced on hearing of further requirements in this area. However, the commercial impact of these data transfers becoming illegal overnight, together with the potential fines of up to €20 million for European operations, mean this issue should be high on businesses’ risk/compliance agenda.
Ward Hadaway has an experienced team who specialise in data protection. We would be happy to discuss these issues further with you and help you ensure that you are ready to meet this challenge. Please contact us if you wish to discuss these issues further.
Please note that this briefing is designed to be informative, not advisory and represents our understanding of English law and practice as at the date indicated. We would always recommend that you should seek specific guidance on any particular legal issue.
This page may contain links that direct you to third party websites. We have no control over and are not responsible for the content, use by you or availability of those third party websites, for any products or services you buy through those sites or for the treatment of any personal information you provide to the third party.