The 29th of March is approaching fast and there is still no clarity on the circumstances of how the UK will leave the European Union. So, how can you prepare your organisation from the impact of a no-deal Brexit should it occur?
What does a no-deal Brexit mean?
A no-deal Brexit would mean that personal data would no longer be able to flow freely between the UK (including Northern Ireland) and Ireland as it previously has done. The UK would become what’s known as a “Third Country” and would not automatically be considered by the EU to be secure enough to transmit personal data to without specific safeguards in place.
Ideally, the European Commission would grant an “Adequacy Decision” to the UK meaning that the data protection standards are considered to be equal to that of the EEA and data can continue to flow freely. However, we do know that an adequacy decision (if forthcoming), will not be granted prior to March 29th. In the absence of an adequacy decision, Irish companies needing to transfer personal data to the UK will need to show they are doing so legally.
How do I know if I’m transferring data to the UK?
Some examples of this include:
- Using cloud based software (eg for CRM, email marketing, accounting etc) that stores data on servers in the UK
- Using a UK company to do payroll, marketing etc for you
- Using the services of an Irish company that may be owned by a UK parent company
Legal ways to continue transferring personal data to the UK
After March 29th, Irish companies wishing to continue personal data transfers to the UK will have to put legal safeguards in place. In the absence of an adequacy decision, there are a number of legal transfer mechanisms that can be used to underpin transfers from the EU to the UK. We will look at two of the most common ones below – Standard (or Model) Contractual Clauses and Binding Corporate Rules (BCRs).
Standard Contractual Clauses (SCCs)
These are company-to-company mechanisms either adopted by the European Commission or by a national Supervisory Authority (such as the the Irish Data Protection Commission) and then approved by the European Commission. Simply put, an SCC is a standard form that is non-negotiable and once signed, the company outside the EEA is considered safe to receive data from the EU. The European Commission has so far issued two sets of SCCs
Binding Corporate Rules (BCRs)
These are designed to allow multinational companies transfer personal data internally within the group even if parts of the company are based in countries without an adequacy decision. The company must draft the rules and the lead Supervisory Authority must approve them. More information on the steps for getting approval of BCRs can be found here
The Data Protection Commission has issued some guidance around what to do next
- Map the personal data being transferred to the UK currently.
- Determine if the transfers will need to continue beyond 29th March 2019.
- If this is the case, then assess the various transfer mechanisms to decide which one best suits the situation and work towards having it in place before 29th March 2019.
To determine how to proceed, you could take the following steps within your organisation. List all the cloud-based software you use. Contact your vendors and ask them if at any point, your data passes through or is stored in the UK. Do the same for your outsourcing companies, eg IT services, payroll etc. Determine a course of action if your providers still plan to process personal data in the UK. You may need to switch providers or suspend operations until legal safeguards are put in place
- The Data Protection Commission has issued some guidance for Irish companies here
- European Data Protection Board note on companies which have the UK’s Information Commission Office as BCR Lead Supervisory Authority
- European Data Protection Board note on data transfers in the event of a no-deal Brexit