What is this all about?
The UK Information Commissioner’s Office (“ICO”) recently issued updated guidance called “Data protection and no-deal Brexit for small businesses and organisations” which can be found here https://ico.org.uk/for-organisations/data-protection-and-brexit/data-protection-and-brexit-for-small-organisations/. We have made a film about a no-deal Brexit and data protection issues which can be found here https://www.corderycompliance.com/hard-brexit-and-data-protection/ and also written about this issue here https://www.corderycompliance.com/ico-brexit-and-data-protection-guidance/.
What has the ICO said?
The ICO is urging organisations to “prepare for all scenarios” in order to maintain data flows when the UK leaves the EU, preparing for the possibility that the UK leaves the EU with no deal.
The guidance essentially repeats the same previously published advice on how to maintain data flows but has been updated to be more relevant and accessible for smaller organisations.
If there is a no deal scenario, EU law will require additional measures to be put in place when personal data is transferred from the EEA to the UK, in order to make them lawful. The ICO’s guidance sets out what can be done in this regard, notably with regard to so-called “model/standard contractual clauses”.
The UK government’s policy is that data transfers from the UK to the EEA will not be restricted, for now at least.
What has the commissioner said?
Information Commissioner Elizabeth Denham has said the following:
“It’s crucial that organisations make sure they properly prepare for all scenarios. If your organisation sends or receives personal information to countries in the EU, this guidance will help you work out whether you need to take steps now, what you need to do to prepare, and then let you get back to running your business. Even if you think your organisation doesn’t transfer data internationally, I’d urge you to read what we’ve produced, and assess whether you need to act.”
The ICO’s website offers guidance to help organisations prepare for the UK leaving the EU, including checklists and interactive tools, which can be found here: https://ico.org.uk/for-organisations/data-protection-and-brexit/
What are the takeaways?
The key actions that businesses can do for now is to review their data transfer arrangements and related documentation, which should include looking at whether a GDPR representative will have to be established (for UK-based organisations offering goods and services to individuals in the EEA, or monitoring the behaviour of individuals in the EEA), in light of the guidance and engage with partners and suppliers in the rest of the EU accordingly.
For more of our reporting about data protection issues see here http://www.corderycompliance.com/category/data-protection-privacy/.
Data breaches are also a key issue for organisations who need to make sure that they do all that they can to stop data breaches including ensuring they can react to data breaches quickly when they happen. Cordery’s Breach Navigator can help organisations respond to a breach. There are more details here https://www.corderycompliance.com/solutions/breach-navigator/.
For more information about GDPR please see details of Cordery GDPR Navigator here www.bit.ly/gdprnav.
For more information please contact André Bywater or Jonathan Armstrong who are commercial lawyers with Cordery in London where their focus is on compliance issues.
Office: +44 (0)207 075 1785
Office: +44 (0)207 075 1784