The Information Commissioner's Office (ICO) posted a myth-busting blog for small and medium businesses (SMBs) ahead of World Data Protection Day, with facts on how data will be transferred post-Brexit.
The Information Commissioner Elizabeth Denham explained how personal data will continue to flow between the UK and EU after Brexit.
What is the Information Commissioner’s Office (ICO)? General Data Protection Regulation (GDPR)
At the moment personal data flow is unrestricted because the UK is still an EU member state and if the proposed EU withdrawal agreement is approved, businesses can be assured that personal data will continue to flow until 2020 while a longer-term solution is put in place.
However, a 'no-deal' exit is still a possibility with the government yet to agree on a plan. This means that EU law will require additional measures to be put in place by UK companies when personal data is transferred from the EEA to the UK, in order to make them lawful.
"Like everyone in the UK right now, we are following the twists and turns of the Brexit negotiations," Denham wrote. "The sharing of customers, citizens and employees personal data between EU member states and the UK is vital for business supply chains to function and public authorities to deliver effective public services."
With less than two months to go until the UK leaves the EU, Denham's blog sets out to bust the misconceptions about what a 'no-deal' Brexit would mean for UK companies transferring personal data to and from the EEA.
According to Denham, in the event of a 'no deal' situation, despite the UK government already making it clear its intention to enable data to flow from the UK to EEA countries without additional measures, transfers of personal data from the EEA to the UK will be affected.
"The key question around the flow of personal data, is whether your data is going from the UK to the EEA or exchanged both ways?" she wrote. "If you are unsure, start by mapping your data flows and establish where the personal data you are responsible for is going. All businesses operating in the EEA should consider whether they need to take action now."
Denham also explained that it is the responsibility of every business to know where the personal data it processes is going and that a proper legal basis for such transfers exists.
"Personal data transfers are not about whether your business is exporting or importing goods," she wrote. "You need to assess whether your business involves transfers of personal data, such as names, addresses, emails and financial details to and from the EEA and if this is going to be lawful in the case of 'no-deal'."
"Don't presume you are covered by the structure of your company," Denham also warned. "In the case of 'no-deal', UK companies transferring personal information to and from companies and organisations based in the EEA will be required by law to put additional measures in place. You will need to assess whether you need to take action."
