This is more of a reminder than anything else. I’ve already blogged about the risks of a hard Brexit from a data protection compliance perspective, and we’ve featured it in our October newsletter at Securys. But now the ICO has also said similar things, and the government is moving to “full hard-Brexit preparation“. So it’s worth re-iterating the main concerns:
- If we’re not in the EU, and have no transition agreement, it will be illegal for EEA processors to transfer data to the UK without special precautions. There is a range of precautions – and justifications for transfer – available, but they have to be considered, documented and implemented before any transfer takes place.
- If a UK company is offering services in the EU that include or require data processing, and that processing is done in the UK or under UK control, the end consumer needs to be notified of an international data transfer and may be required to consent to it.
- If a UK-based multinational is processing data in the UK or under UK control on staff from outside the UK, it will need to review the measures in place to protect that transfer of data.
The UK government has made it clear that it will continue to sanction transfers from the UK to the EEA (and presumably anywhere with an adequacy decision). But the EU has equally made it clear that it is not intending to make an adequacy decision in favour of the UK.
Short version: if you transfer data from the EEA, whether for employees or customers, or process data on behalf of controllers located in the EEA, you need to get advice now. You will need to consider a variety of measures including changes in processing, revisions to justifications and data protection impact assessments, use of model clauses in contracts or binding corporate rules.
We can assume that some EU data protection regulators will be under significant local pressure to review transfers to the UK after a hard Brexit, so this is a risk we would take seriously.