GDPR in a no-deal Brexit
18th September 2018
Last week the government issued its guidance on the impact of a no-deal Brexit on data transfers with the EU after we leave the EU on 29 March 2019.
The UK government emphasises the fact that it is very likely a deal will be struck which will allow EU citizen personal data to continue to flow into and out of the UK. However, if such data flows are essential to your business, you need to start to put in place contingency plans which will ensure that personal data can continue to flow after the date we leave the EU. It seems likely that a deal will not be struck (if it is struck at all) before November 2018. If there is no deal and you wait until this is clear, this will give you very little time to plan for a no deal scenario which could have a significant impact on your business.
The UK government has announced it has no plans to put in place limitations to data transfers by UK businesses into the EU. However, it warns that the EU has made clear that the UK will not automatically have adequacy status as set out in Article 45 of the GDPR once it leaves the EU. The European Commission has not yet stated a timetable for any adequacy assessment and has indicated that a decision on adequacy cannot be taken until the UK is a third country i.e. until it leaves the EU. This means that in the event of a no deal Brexit, from 23.00 on 29 March 2019 EU businesses will not be able to transfer personal data into the UK unless an appropriate legal basis for such transfer can be identified.
We recommend you carry out a review of your data import/export activities now. This includes data exports and imports with EU parent companies and subsidiaries as well as service providers you use based in the EU and businesses within the EU for which you provide services. Data flows into and out of the EU should have been identified in any data mapping exercise you carried out for the introduction of the GDPR. If you didn’t do this, or it doesn’t identify data flows within the EU (e.g. it only identifies data flows outside the EEA), you should start that process now. Once you have identified where EU data is transferred into and out of the UK you will then need to identify a way for the data transfers to continue. Many businesses will probably seek to rely on the model contract clauses. These will allow personal data to continue to flow after a no-deal Brexit but will require you to vary your contracts with EU businesses to allow this.
The government’s guidance is available to view here.
If you would like more information on how Brexit will affect data processing with EU entities or you would like our help more generally with data protection or no-deal Brexit planning, please contact Phil Tompkins or Dean Murray.