The Information Commissioners Office (ICO) has issued a guidance for businesses and organisations in Britain about how to cope with data transfers being blocked, should the UK leave the EU without a deal.
The ICO fear there is no time to reach a data adequacy agreement should the UK crash out of Europe.
“The guidance we have produced will help organisations plan ahead and ensure that personal data continues to flow,” said Information Commissioner Elizabeth Denham.
“We will be providing further information to the small number of organisations in the UK that rely on approved Binding Corporate Rules for their transfers to explain how they may be affected.”
“We will continue to help all organisations understand how any future changes in data protection regulation will affect you and the measures you need to put in place.”
Adequacy Agreement needs to be implemented.
Despite bringing the General Data Protection Regulation (GDPR) into UK law in the form of the Data Protection Act 2018, leaving the EU without a deal in place means Britain will be, for a time, classed as a ‘third country’ until an adequacy agreement can be implemented.
According to the ICO, while some data can be transferred from the UK to European Economic Area (EEA) countries, something supported by the UK government, there will be a stop to all flow of personal information in the opposite direction until a data adequacy agreement comes into force.
Because all nations, to date, have adhered to the same standards, personal information has been able to flow freely between the UK and EU countries. The EU also allows the free-flow of data between member states and non-EU countries through data adequacy decisions.
But any such arrangements will take time to conclude and cannot logistically be in place by March 2019, the legislative date of withdrawal, unless Article 50 is extended or suspended.
Businesses will, therefore, need to consider their circumstances and adapt their operations accordingly.
It could also severely hamper the delivery of public services, including many NHS Trusts and their suppliers, which store data on EEA based AW servers.
will affect you and the measures you need to put in place.”
ICO guidance on how to minimise disruption after Brexit.
The broader guidance includes a set of frequently asked questions (FAQs)regarding the various information and data regulations with which businesses have had to comply, as well as a six-step checklist for organisations to follow.
The FAQs highlight such queries as ‘what will the UK data protection law be if we leave without a deal?’, and ‘Will the GDPR still apply if we leave the EU without a deal?’
The ICO’s six-step checklist, meanwhile, highlights a range of measures organisations will need to implement to ensure minimal disruption beyond March.
These include continual GDPR compliance, assessing transfers to and fro the UK, reviewing the organisational structure if operating across Europe, reviewing privacy information and documentation, as well as raising the level of awareness among senior staff.
One key measure that businesses can implement is Standard Contractual Clauses between themselves and EU-based organisations. The ICO has also produced an interactive walkthrough mainly targeting SMBs to determine whether this is a suitable measure for them to implement.
The walkthrough includes help with completing the essential clauses of these contracts and also minimises the costs of putting these into place. The ICO is also aiming to incorporate an online tool that can automatically generate these contracts.