No-deal Brexit will block critical data transfers from EU, warns ICO

With no time to reach a data adequacy agreement, the ICO has published guidance for businesses to avoid disruption

EU to scrap roaming charges within two years

The Information Commissioner's Office (ICO) has issued guidance for UK organisations on how to cope with data transfers being blocked in the event Britain crashes out of the European Union (EU) without a deal.

Despite bringing the General Data Protection Regulation (GDPR) into UK law in the form of the Data Protection Act 2018, leaving the EU without a deal in place means Britain will be, for a time, classed as a third country' until an adequacy agreement can be implemented.

Advertisement - Article continues below

This means that while some data can be transferred from the UK to European Economic Area (EEA) countries, something supported by the UK government, there will be a stop to all flow of personal information in the opposite direction until a data adequacy agreement comes into force, according to the ICO.

Personal information has been able to flow freely between the UK and EU countries to date because all nations have adhered to the same standards. The EU also allows the free-flow of data between member states and non-EU countries through data adequacy decisions.

But any such arrangements will take time to conclude and cannot logistically be in place by March 2019, the legislative date of withdrawal, unless Article 50 is extended or suspended. This means businesses will need to consider their circumstances and adapt their operations accordingly.

Advertisement
Advertisement - Article continues below

It could also severely hamper the delivery of public services, including many NHS Trusts and their suppliers, which store data on often-EEA-based AWS servers.

Advertisement - Article continues below

"The guidance we have produced will help organisations plan ahead and ensure that personal data continues to flow," said Information Commissioner Elizabeth Denham.

"We will be providing further information to the small number of organisations in the UK that rely on approved Binding Corporate Rules for their transfers to explain how they may be affected.

"We will continue to help all organisations understand how any future changes in data protection regulation will affect you and the measures you need to put in place."

Minimising disruption post-Brexit

The broader guidance includes a set of frequently asked questions (FAQs) regarding the various information and data regulations with which businesses have had to comply, as well as a six-step checklist for organisations to follow.

The FAQs highlight such queries as what will the UK data protection law be if we leave without a deal?', and Will the GDPR still apply if we leave the EU without a deal?'

Advertisement - Article continues below

The ICO's six-step checklist, meanwhile, highlights a range of measures organisations will need to implement to ensure minimal disruption beyond March.

These include continual GDPR compliance, assessing transfers to and fro the UK, reviewing the organisational structure if operating across Europe, reviewing privacy information and documentation, as well as raising the level of awareness among senior staff.

One key measure that businesses can implement are Standard Contractual Clauses between themselves and EU-based organisations. The ICO has also produced an interactive walkthrough mainly targeting SMBs to determine whether this is a suitable measure for them to implement.

The walkthrough includes help with completing the essential clauses of these contracts and also minimises the costs of putting these into place. The ICO is also aiming to incorporate an online tool that can automatically generate these contracts.

Prospects of 'no deal' are rising

The guidance has been issued amid political uncertainty surrounding the draft Withdrawal Agreement, with a host of voices both domestically and in Europe warning the prospects of no deal' are rising.

Advertisement - Article continues below

The likelihood of the Theresa May's agreement securing enough support by MPs is low, with the Prime Minister repeatedly claiming the only other two options on the table if her deal is rejected are no deal' and no Brexit'.

The guidance sets out a number of key examples of organisations that may be affected by the change in circumstance.

No-deal withdrawal wouldn't impact, for instance, a hotel in Cornwall that takes bookings from individuals across Europe that provide their personal details including names, and contact details, and sends personal data back to them.

The international transfers' aspect of no-deal withdrawal could affect the business if it uses a cloud IT service which stores or processes the data anywhere outside of the UK; for example an AWS server in the Netherlands.

Restricted transfers can, however, continue if this is covered by an adequacy decision made by the UK government.

The UK government also intends to recognise previous EU adequacy decision made by the European Commission prior to the exit date. These will allow restricted transfers to continue for those organisations whose data activities have already been covered by an adequacy decision.

The only exception, the ICO says, regards the EU/US Privacy Shield, which the UK will not be a part of without a deal, as it is a specific EU/US arrangement.

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now
Advertisement
Advertisement

Recommended

Visit/security/privacy/355048/government-may-trace-covid-19-patients-using-mobile-phone-data
privacy

UK government may trace COVID-19 patients using mobile phone data

20 Mar 2020
Visit/policy-legislation/general-data-protection-regulation-gdpr/354842/irish-data-regulator-racks-up
General Data Protection Regulation (GDPR)

Irish data regulator racks up GDPR cases against Big Tech

24 Feb 2020
Visit/data-insights/data-management/354423/eu-us-data-transfer-tools-used-by-facebook-ruled-legal
data management

EU-US data transfer tools used by Facebook ruled legal

19 Dec 2019
Visit/backup/33385/arcserve-udp-9240dr-review-beef-up-your-backups
backup

Arcserve UDP 9240DR review: Beef up your backups

4 Apr 2019

Most Popular

Visit/infrastructure/server-storage/355118/hpe-warns-of-critical-bug-that-destroys-ssds-after-40000-hours
Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020
Visit/software/355113/companies-offering-free-software-to-fight-covid-19
Software

These are the companies offering free software during the coronavirus crisis

25 Mar 2020
Visit/software/video-conferencing/355138/zoom-beaming-ios-user-data-to-facebook-for-targeted-ads
video conferencing

Zoom beams iOS user data to Facebook for targeted ads

27 Mar 2020
Visit/cloud/355098/ibm-dedicates-supercomputing-power-to-coronavirus-researchers
high-performance computing (HPC)

IBM dedicates supercomputing power to coronavirus research

24 Mar 2020