Leaving the EU will not automatically free the UK from legal restrictions contained in national laws deriving from European legal instruments. A good example is the Data Protection Act 2018 that will still be applicable after March 2019.
However, there are a few points to consider:
- The UK will cease to belong to the EU “safe data” zone and will become a so-called “third country”;
- In absence of an Adequacy Decision by the European Commission, it will be more difficult for businesses in EU and European Economic Area (EEA) member states to send personal data to the UK as restrictions will apply; and
- The UK’s departure from the EU could also affect the ability of a group of non-EU countries (such as Singapore) to send personal data to the UK because increasingly countries are adopting data protection laws that follow the EU model and include “export controls” on data leaving for less protective jurisdictions.
You must also be aware that even for companies that do not use much personal data as core business, HR still needs to be considered.
What is the Government saying?
The Government has just published its Brexit “no-deal” advice on Privacy and Data Protection.
The guidance encourages companies to take action now to ensure business continuity post-Brexit, should Britain leave the EU without a deal. Companies, therefore will have to rely on the established safeguard mechanisms to receive data from the EU. In practice, this means agreements will have to be revisited. However, the Government considers that data transfers from the UK to the EU will still be able to occur without restriction.
What do you need t do?
Below are some action points that you need to take now:
- Map the personal data flows coming from outside or leaving the UK;
- Identify where the data resides;
- Check whether you use EU or “third country” based service providers to process data and identify the services they provide to you (for example, payroll processing, back office, IT infrastructure). You might consider re-contracting with them;
- Consider whether you need changes to ensure that data can continue to flow post-Brexit and decide where the legal responsibility fall in relation to making such changes;
- In case your key providers/clients are located outside of the UK, decide whether implementing Standard Contractual Clauses would be feasible; and
- Verify whether you need to transfer high risk data (for example, health data, human resources data, bank account data). In case you do, identify the provisions that you need to put in place to continue the transfers or consider whether they could be re-directed to alternative EU group companies with offices in the UK.
Gemserv can help with all the above, review and update your contracts, or identify the right data sharing mechanism for you to ensure your company will be able to continue to operate in case of a “no-deal” Brexit.
If you would like to hear how we can help you please contact us at firstname.lastname@example.org or on +44(0)20 7090 1091.