by Thomas Macaulay

How UK CIOs can keep data flowing across the EU after a no-deal Brexit

Sep 19, 2019
IT LeadershipIT Strategy

Fears of an imminent no-deal Brexit may have recently receded but the capricious nature of contemporary British politics mean the UK could still crash out of the EU without a deal, an outcome which would have an enormous impact on data flows.

The moment the UK departs without a deal, it will no longer hold an adequacy agreement, which authorises uninterrupted flows of personal data with European Economic Area (EEA) member states. Instead, it would be deemed a “third country” for data protection purposes. This means businesses that share data with EEA nations must ensure that they hold an appropriate safeguard to continue  data flows across the bloc.

In the longer-term, a no-deal Brexit could lead to double enforcement of breaches from both the UK regulator – the Information Commissioner’s Office – and the EU’s data protection authorities.

There would be little disruption in data transfers from the UK to the EU and the 13 countries that the European Commission has determined to provide adequate data protection, subject amendments to references to EU institutions and procedures that no longer apply.

Flows to the US can also continue, under the terms of the EU–US Privacy Shield, as long as the companies that have signed up to the framework publicly state that they can continue.

Other countries will need an alternative agreement. Standard contractual clauses (SSCs) are the most popular option, and organisations can continue to use their existing SCCs for these countries.

Importing data from the EU to the UK will be more complicated.

SCCs or BCRs?

A no-deal Brexit will lead the EU to no longer recognise the UK as having adequate protections, which will force businesses in the UK to amend their SCCs.

“It will be a tweak, but  some organisations have hundreds of standard contractual clauses in place with all of their vendors and their suppliers, so it could be quite a big a task,” says Annabel Gillham, a partner in the global data privacy team at law firm Morrison & Foerster.

Read next: GDPR tips for CIOs

Multinational companies may prefer to use binding corporate rules (BCRs), which are tailored to the needs of an individual business and can be more effective for inter-group transfers. The BCRs that they currently have in place can be updated to ensure they apply if the UK leaves the EU without a deal, but gaining approval for the rules can be difficult.

“It takes a lot of time and effort to actually register binding corporate rules with the data protection regulator,” explains Gillham. “If they’re not already in place, then the easiest thing to do is implement standard contractual clauses … If you haven’t got numerous data importers and exporters then they can be really handy and easy to use.

“If you are a huge organisation with loads of inter-group transfers all the time, it is a lot easier to just put that effort into getting binding corporate rules in place, registering them with the data protection authority and relying on them. But for no-deal Brexit purposes, if you want to do a quick patch of the situation, then standard contractual clauses are definitely easier.”

Preparation tips

The ICO has published a six step plan on how ensure that data flows can continue after a no-deal Brexit and created an interactive tool that IT business leaders can use to determine whether they can use SCCs.

Gillham advises CIOs to focus on securing their inbound data flows from the UK from the EU and investigate any large volumes of data transfers as well as information that is particularly sensitive, such as employee and criminal data.

“Try and fix those by amending the standard contractual clauses,” she suggests. “That is the absolute priority. Another thing I would do is look at the flows across Europe. If you’re a UK business and you don’t have establishments in the EU, so you are UK-based but do sell into the EU, you should look at the possibility that both regimes will still apply to you. Just because you’re only based in the UK doesn’t mean that the EU GDPR will not apply anymore. It probably still will, so I would start looking at that.

Read next: How CIOs are ensuring GDPR compliance

“If you’re not established in the EU, don’t assume that the EU GDPR will stop applying, and take take legal advice on the applicability of both regimes and what you might do to try and mitigate it.”