Published: Monday September 17, 2018
A blog by Kate Lewis, Head of Privacy & Data Compliance
Last week, the UK’s Department for Digital, Culture Media & Sport published a guidance paper on “Data Protection if there is no Brexit deal”.
This paper starts with their view that the chance of no-deal is unlikely, however it's pertinent organisations plan for all scenarios:
“It has always been the case that as we get nearer to March 2019, preparations for a no deal scenario would have to be accelerated. Such an acceleration does not reflect an increased likelihood of a ‘no deal’ outcome. Rather it is about ensuring our plans are in place in the unlikely scenario that they need to be relied upon.”
Given that 75 per cent of all data flows from the UK are to the EU (European Union), it's in the interest of both parties a deal is secured.
If “no deal” happens, the UK will continue to allow for the free flow of personal data from the UK to the EU. Transfers from the EEA (European Economic Area) to the UK, however, will be impacted.
This is not a catastrophe. There is enough time to put a Plan B into action. Unlike in October 2015 when Safe Harbor was withdrawn with immediate effect by the Court of Justice of the European Union, making transfers to the US unlawful.
The great news is organisations should be in good shape thanks to GDPR. We should all have a log of data transfers so we know where to focus. Once a transfer has been identified, the next step is to implement standard contractual clauses.
Norway, Iceland and Liechtenstein are not in the EU, but are party to the Agreement on the European Economic Area. This means they're guaranteed equal rights and obligations within the EU’s Internal Market and are able to participate in some other EU arrangements.
In many areas, these countries proactively adopt EU rules. GBG will work with EEA businesses to take necessary steps to prepare for a ‘No Deal’ scenario to ensure there is no impact on service.
We were recently asked: “I heard standard contractual clauses are being challenged, and may be withdrawn. What would we do then?”
If this happened, it would have wider implications for EEA businesses than the issue of trading with the UK. It would impact global trade, so the European Commission and data protection authorities would not delay in finding a resolution. They have the power under GDPR to fashion a new agreement, with the option to “self-certify” for safe transfer of personal data.
So, we need to continue to watching very closely, but don’t worry – there will be a mechanism where GBG can continue to service our customers located in the EEA or access EEA data.