A Collection is a selection of features, articles, comments and opinions on any given theme or topic. It allows you to stay up‑to‑date with what interests you most.
Login here to access your saved articles and followed authors.
We have sent you an email so you can reset your password.
Sorry, we had a problem.
Tags related to this article
Published 30 April 2019
Given the uncertainty around both the timing and form of Brexit, organisations whose businesses rely on cross-border transfers are understandably concerned that a no-deal or “hard” Brexit will impede processing overnight. Therefore there has been a wave of guidance issued by various data protection regulators and bodies and we have rounded these up below:
In the lead up to Brexit, many organisations have set up Irish entities and this will have prompted the publication of this guidance which focusses on implementing standard contractual clauses to safeguard data transfers from Ireland to the UK.
The guidance can be accessed here.
This is a helpful note explaining the mechanisms available to UK businesses transferring or receiving personal data in the event of a no-deal Brexit. The note recognises that the most commonly used mechanism will be standard contractual clauses and where additional clauses are agreed to, they must not dilute or in any way reduce the level of protection afforded to individuals via the standard contractual clauses.
Binding corporate rules will also be useful for large organisations with entities outside the UK. If your organisation already has binding corporate rules in place these can be used in the event of a no-deal Brexit but it is highly advisable that these are reviewed for GDPR compliance. For organisations that wish to obtain new binding corporate rules, this will involve approval by your lead supervisory authority (this is addressed by another EDPB note as below).
The information note can be accessed here.
In the event of a no-deal Brexit, the ICO will no longer be the LSA and businesses wishing to apply for new binding corporate rules will need to identify the most appropriate LSA in an EU Member State.
For organisations who have submitted applications which are at the ICO review stage will need to also need to identify the most appropriate LSA in an EU Member State and that LSA will take over the application.
Where the ICO has a draft decision approving binding corporate rules and is awaiting final approval from the EDPB, those organisations must advise the EDPB of their new LSA and re-submit a draft for approval.
The note can be accessed here.
All NHS organisations should consult the notes and guidance above and should have completed their annual Data Security and Protection Toolkit assessment, the deadline for which was the end of March 2019. This will allow health and adult social care providers to quickly identify and address any vulnerabilities. It also provides email addresses for points of contact if any issues arise in respect of data flows, databases or data stored in the EEA.
Some Member States are preparing for a no-deal Brexit by introducing ‘no-deal’ legislation to mitigate the risks of disruption to certain financial services provided by UK-based firms – however it is unclear how effective these pieces of legislation will be. The current trend for financial services firms based in the UK has been to set up new European entities as part of their no-deal planning. It has become apparent that there may be a gap in the lawful free flow of personal data following a no-deal exit. The EU have said that they would not begin to assess the UK’s data practices (with an aim of deeming them adequate) until the UK is a third country. In this instance, businesses will have to use the mechanisms that have been discussed above.
The government paper can be accessed here.
The ICO’s latest blog post focuses on addressing some of the issues and concerns that businesses and organisations are having in the event of a no-deal Brexit. A lot of these points are misconceptions and the blog provides a useful analysis of what is the most likely eventuality. The ‘myths’ that are addressed include, total restriction from transferring personal data from the UK to the EU, the extent to which UK companies’ data transfers will be affected and the likelihood of an adequacy decision.
The ICO’s guidance page for Brexit (which includes this blog) can be found here.
London - Walbrook
+44 (0)20 7894 6577
020 7894 6837
Mary Mundy, Hannah Chapelhow
Anne Crofts, Dr Alexandra von Westernhagen, Udara Ranasinghe
Victoria Fletcher, David Harrison, Dr Alexandra von Westernhagen
Aideen Ryan, Gary Rice, Brian Ormond, Aidan Healy, Niall Sexton
Alison McAdams, Hamza Drabu
Harald Loeffler, Dr Alexandra von Westernhagen, Jonathan Deverill
Dr Alexandra von Westernhagen
Harald Loeffler, Jonathan Deverill, Dr Alexandra von Westernhagen