The Guidance documents comprise:
- a “Six Steps to Take” guide;
- broader guidance on the effects of leaving the EU without a withdrawal agreement; and
- a general overview in the form of Frequently Asked Questions.
The “Six Steps to Take” guide covers the following:
- Continue to comply: organisations should continue to apply GDPR standards and follow current ICO guidance. If there is a Data Protection Officer, they can continue in the same role for both the UK and Europe.
- Transfers to the UK: organisations should review their data flows and identify where they receive data into the UK from the European Economic Area (EEA). They should consider what GDPR safeguards can be put in place to ensure that data can continue to flow once the UK is outside the EU.
- Transfers from the UK: organisations should review their data flows and identify where they transfer data from the UK to any country outside the UK, as these will fall under new UK transfer and documentation provisions.
- European operations: organisations that operate across Europe should review their structure, processing operations and data flows to assess how the UK’s exit from the EU will affect the data protection regimes that apply to them.
- Documentation: organisations should review their privacy information and internal documentation to identify any details that will need updating when the UK leaves the EU.
- Organisational awareness: organisations should make sure key people are aware of these key issues. They should include these steps in any planning for leaving the EU and keep up to date with the latest information and guidance.
The ICO has also produced an interactive guide to take organisations through the Standard Contractual Clauses process that some organisations might want to put in place with their European partners. Particularly aimed at small and medium sized organisations, it aims to help decide if Standard Contractual Clauses are relevant and will minimise the expense of putting them in place. It already includes help with completing the clauses, but the ICO says that it will be making further developments in the next few weeks to incorporate an online tool to help organisations generate them automatically. To access the ICO guidance, click here.