The free flow of data underpins the modern economy and is essential to businesses in every sector, from automotive to logistics. The impact of no deal on data flows could be disruptive: preparation must be on every business’ radar.
Key challenges for business
How will data transfers between the UK and EU change after no deal?
The UK has confirmed it will continue to recognise EU standards of personal data. It will permit UK businesses to send personal data to the EU and countries with adequacy and partial adequacy agreements (e.g. the US, Japan, and Canada) without any additional requirements.
However, the EU will treat the UK as a third country, meaning that UK businesses who receive data from Europe will need to implement new safeguards. Standard contractual clauses are the most common safeguard – these are standard sets of terms and conditions which the sender and receiver of personal data insert into contracts. Businesses should work with their EU supply chain and partners to identify where safeguards may be necessary.
What will happen to GDPR in the event of no deal?
The government intends to incorporate GDPR into UK law. Businesses must continue to comply and should follow current guidance on complying with GDPR from the Information Commissioner’s Office (ICO). References to EU law and terminology in business’ documentation must be identified and updated to reflect UK terminology upon exit.
Will no deal impact how businesses interact with EU authorities?
Businesses will no longer benefit from One-Stop-Shop, which allowed them to interact with a single supervisory authority. This means that if the ICO is currently a business’ lead data protection regulatory authority but they have offices, branches, or other subsidiaries in the EU, they might need to deal with other European supervisory authorities after no deal.
If a business is based solely in the UK but offers goods or services to EU citizens or monitors their behaviour, it may need to appoint a suitable representative in Europe. They will act as the firm’s local representative with individuals and data protection authorities in the EU.
Key questions for business to consider
Not every business will need to take the same steps – but these key questions will help you identify how to best prepare for a no deal:
- Do you receive personal data from the EU?
- Does your organisation have a map of where it receives and sends data?
- Are the relevant employees in your organisation up to date on current issues and guidance?
- Do you know who your lead supervisory authority is and, if you have to interact with new supervisory authorities, have you begun to build relationships with them?
- Have you checked whether you need to update contracts to reflect UK terminology rather than EU terminology?
- Have you appointed an EU representative within your organisation – should one be needed – to be responsible for GDPR compliance and as a point of contact for European citizens?
- Have you considered the long-term impact of no deal on data on your plans for positioning of data centres?
Want the highlights? View our webcast
Preparing for no deal: the changes to data transfers
Other resources to help you plan
Keep up to date with the government’s latest guidance and information.
Read the ICO’s 6 steps to prepare and further guidance. If you’re unsure about which safeguard is appropriate, the ICO also outlines the different legal bases that can be used in the event of no deal.
If you’re an SME, use the ICO’s dedicated guidance, which includes a checklist to help you consider if and how you might be affected by a no deal.
Help your employees understand how to use standard contractual clauses by using the ICO’s interactive tool.
TechUK has a no deal Brexit hub with preparation advice.
The Advertising Association has advice on preparing for no deal on data here.
How are other businesses preparing?
— UK conference company
"The main component of our Brexit planning was to map our data flows. We receive conference bookings from all over Europe, so we had to identify key partners to contact where we’d need to introduce alternative arrangements. We worked with them to put standard contractual clauses (SCCs) in place. The ICO’s guidance was so useful – it helped us to understand the appropriate use of SCCs.
We’ve also reviewed our privacy information and documents so we’re ready to make any minor changes immediately after exit.”