HomeInsightsInformation Commissioner publishes blog on how personal data will continue to flow after Brexit

Article by

Elizabeth Denham’s latest blog busts the myths for UK small and medium sized businesses transferring personal data to and from the EEA.

Ms Denham says that if the proposed EU withdrawal agreement is approved, “businesses can be assured that personal data will continue to flow until 2020 while a longer term solution can be put in place”.

However, she warns, in the event of “no deal” EU law will require additional measures to be put in place by UK companies when personal data is transferred from the European Economic Area (EEA) to the UK, in order to make them lawful.

The Commission recognises that businesses and organisations are concerned. This latest blog challenges some of the misconceptions about what a “no deal” Brexit will mean for UK companies transferring personal data to and from the EEA.

Ms Denham explains that Brexit will not, in fact, stop the transfer of personal information from the UK to the EU altogether. In a “no deal” situation the UK Government has made clear its intention to enable data to flow from the UK to EEA countries without any additional measures. However, transfers of personal data from the EEA to the UK will be affected.

The key question around the flow of personal data is whether the data is going from the UK to the EEA or exchanged both ways. Businesses that are unsure should start by mapping their data flows and establish where the personal data they are responsible for is going.

Ms Denham encourages all businesses operating in the EEA to consider whether they need to take action now.

Busting another myth, Ms Denham explains that personal data transfers are not about whether a business is exporting or importing goods. Businesses therefore need to work out whether they are in fact transferring personal data to and from the EEA and if this is going to be lawful in the case of “no deal”.

Ms Denham reminds readers that it is the responsibility of every business to know where the personal data it processes is going, and that a proper legal basis for such transfers exists.

As for an adequacy decision from the European Commission, Ms Denham explains that an assessment of adequacy can only take place once the UK has left the EU. These assessments and negotiations have usually taken many months.

Although it is the ambition of the UK and EU to eventually establish an adequacy agreement, it will take time, she explains. Until then, businesses will need a specific legal transfer arrangement in place for transfers of personal data from the EEA to the UK, such as standard contractual clauses.

A further myth is that parent companies based in the EU where all personal data records are kept means that subsidiaries do not need to do anything.

Ms Denham explains that this is not necessarily the case. In the case of “no deal”, UK companies transferring personal information to and from companies and organisations based in the EEA will be required by law to put additional measures in place.

Ms Denham concludes by saying that it is “in everyone’s interests that appropriate exchanges of personal data continue whatever the outcome of Brexit. The ICO will carry on co-operating internationally to ensure protections are in place for personal data and organisations have the right advice and guidance”. To read the blog in full, click here.