The Information Commissioner's Office (ICO) has issued guidance for UK organisations on how to cope with data transfers being blocked in the event Britain crashes out of the European Union (EU) without a deal.
Despite bringing the General Data Protection Regulation (GDPR) into UK law in the form of the Data Protection Act 2018, leaving the EU without a deal in place means Britain will be, for a time, classed as a third country' until an adequacy agreement can be implemented.
This means that while some data can be transferred from the UK to European Economic Area (EEA) countries, something supported by the UK government, there will be a stop to all flow of personal information in the opposite direction until a data adequacy agreement comes into force, according to the ICO.
Personal information has been able to flow freely between the UK and EU countries to date because all nations have adhered to the same standards. The EU also allows the free-flow of data between member states and non-EU countries through data adequacy decisions.
But any such arrangements will take time to conclude and cannot logistically be in place by March 2019, the legislative date of withdrawal, unless Article 50 is extended or suspended. This means businesses will need to consider their circumstances and adapt their operations accordingly.
It could also severely hamper the delivery of public services, including many NHS Trusts and their suppliers, which store data on often-EEA-based AWS servers.
"The guidance we have produced will help organisations plan ahead and ensure that personal data continues to flow," said Information Commissioner Elizabeth Denham.
"We will be providing further information to the small number of organisations in the UK that rely on approved Binding Corporate Rules for their transfers to explain how they may be affected.
"We will continue to help all organisations understand how any future changes in data protection regulation will affect you and the measures you need to put in place."
Minimising disruption post-Brexit
The broader guidance includes a set of frequently asked questions (FAQs) regarding the various information and data regulations with which businesses have had to comply, as well as a six-step checklist for organisations to follow.
The FAQs highlight such queries as what will the UK data protection law be if we leave without a deal?', and Will the GDPR still apply if we leave the EU without a deal?'
The ICO's six-step checklist, meanwhile, highlights a range of measures organisations will need to implement to ensure minimal disruption beyond March.
These include continual GDPR compliance, assessing transfers to and fro the UK, reviewing the organisational structure if operating across Europe, reviewing privacy information and documentation, as well as raising the level of awareness among senior staff.
One key measure that businesses can implement are Standard Contractual Clauses between themselves and EU-based organisations. The ICO has also produced an interactive walkthrough mainly targeting SMBs to determine whether this is a suitable measure for them to implement.
The walkthrough includes help with completing the essential clauses of these contracts and also minimises the costs of putting these into place. The ICO is also aiming to incorporate an online tool that can automatically generate these contracts.
Prospects of 'no deal' are rising
The guidance has been issued amid political uncertainty surrounding the draft Withdrawal Agreement, with a host of voices both domestically and in Europe warning the prospects of no deal' are rising.
The likelihood of the Theresa May's agreement securing enough support by MPs is low, with the Prime Minister repeatedly claiming the only other two options on the table if her deal is rejected are no deal' and no Brexit'.
The guidance sets out a number of key examples of organisations that may be affected by the change in circumstance.
No-deal withdrawal wouldn't impact, for instance, a hotel in Cornwall that takes bookings from individuals across Europe that provide their personal details including names, and contact details, and sends personal data back to them.
The international transfers' aspect of no-deal withdrawal could affect the business if it uses a cloud IT service which stores or processes the data anywhere outside of the UK; for example an AWS server in the Netherlands.
Restricted transfers can, however, continue if this is covered by an adequacy decision made by the UK government.
The UK government also intends to recognise previous EU adequacy decision made by the European Commission prior to the exit date. These will allow restricted transfers to continue for those organisations whose data activities have already been covered by an adequacy decision.
The only exception, the ICO says, regards the EU/US Privacy Shield, which the UK will not be a part of without a deal, as it is a specific EU/US arrangement.
