The Information Commissioner’s Office (ICO) has revealed contemporary steering for small and medium-sized enterprises (SMEs) on private knowledge transfers within the occasion of a no-deal Brexit.As the clock ticks all the way down to the Brexit date of 29 March 2019, the prospect of the UK leaving the European Union (EU) and not using a deal turns into ever higher and companies ought to guarantee they’re ready for it, Jonathan Bamford, director of strategic coverage on the ICO, warned at a latest Westminster eForum occasion on General Data Protection Regulation (GDPR) observe in London.To assist UK companies perceive the implications of a no-deal Brexit, data commissioner Elizabeth Denham has revealed steering geared toward busting some widespread myths.“At the moment, personal data flow is unrestricted because the UK is an EU member state. If the proposed EU withdrawal agreement is approved, businesses can be assured that personal data will continue to flow until 2020 while a longer-term solution can be put in place,” she stated in a weblog submit.However, she warned no-deal Brexit will imply that UK corporations must put extra measures in place when private knowledge is transferred from the European Economic Area (EEA) to the UK.“With less than two months to go until the UK leaves the EU, we recognise that businesses and organisations are concerned,” stated Denham.Busting widespread myths
The first delusion addressed is that Brexit will cease UK companies from transferring private data from the UK to the EU altogether.
In a no-deal scenario, Denham stated the UK authorities has already made clear its intention to allow knowledge to movement from the UK to EEA international locations with none extra measures, however cautions that transfers of non-public knowledge from the EEA to the UK will probably be affected.
“The key question around the flow of personal data is whether your data is going from the UK to the EEA or exchanged both ways? If you are unsure, start by mapping your data flows and establish where the personal data you are responsible for is going.”
All companies working within the EEA ought to contemplate whether or not they should take motion now, stated Denham, advising that every one these affected ought to seek the advice of the Information Commissioner’s Office’s steering pages to ascertain whether or not they should put together for knowledge transfers within the occasion of a no-deal Brexit.
The second delusion addressed is that UK companies equivalent to a household lodge might want to arrange a particular settlement to cope with the private particulars of EU clients.
When a buyer passes their very own private knowledge to an organization within the EEA, Denham stated it’s not thought of to be an information switch and may proceed with out extra measures.
“However, there may be other ways you transfer data, for example a booking agency transferring a list of customers, in this case you may need additional measures,” she stated, advising companies to examine the ICO’s steering pages on Brexit.
“You need to assess whether your business involves transfers of personal data to and from the EEA and if this is going to be lawful in the case of ‘no deal’”
Elizabeth Denham, ICO
The third delusion addressed is that Brexit will have an effect on solely knowledge transfers of UK corporations truly exporting items or companies to the EU.
Personal knowledge transfers aren’t about whether or not a enterprise is exporting or importing items, stated Denham. “You need to assess whether your business involves transfers of personal data – such as names, addresses, emails and financial details – to and from the EEA and if this is going to be lawful in the case of ‘no deal’,” she stated, including that it’s the duty of each enterprise to know the place the private knowledge it processes goes, and correct authorized foundation for such transfers exists. In this regard, she recommends companies take a look at the ICO’s steering on six steps to take.
The fourth delusion addressed is UK enterprise will probably be superb as a result of there will probably be a European Commission adequacy determination on exit day on 29 March 2019 to make sure the uninterrupted exchanges of non-public knowledge between the UK and the EU.
“Adequacy” is the time period given to international locations outdoors the EU which have knowledge safety measures which are deemed basically equal to European requirements. Companies and organisations working inside international locations with adequacy agreements take pleasure in uninterrupted movement of non-public knowledge with the EU.
However, Denham stated that an evaluation of adequacy can happen solely as soon as the UK has left the EU and warned that these assessments and negotiations have often taken many months.
“Although it is the ambition of the UK and EU to eventually establish an adequacy agreement, it won’t happen yet. Until an adequacy decision is in place, businesses will need a specific legal transfer arrangement in place for transfers of personal data from the EEA to the UK, such as standard contractual clauses,” she stated.
The fifth delusion addressed is that if a enterprise’s father or mother firm in Europe retains all private knowledge information centrally, there isn’t any want to fret about any new agreements.
“Don’t presume you are covered by the structure of your company. In the case of ‘no deal’, UK companies transferring personal information to and from companies and organisations based in the EEA will be required by law to put additional measures in place. You will need to assess whether you need to take action,” stated Denham.
There are many mechanisms corporations can use to legitimise the switch of non-public knowledge with the EEA equivalent to commonplace contractual clauses and binding company guidelines. The ICO has produced an internet device to assist organisations put contract phrases in place to offer a lawful foundation for knowledge transfers.
“You know your organisation best and will be able to use our guidance to assess if and how you need to prepare. Alternative data transfer mechanisms exist, but it can take time to put those arrangements in place,” stated Denham, including that it’s in everybody’s pursuits that acceptable exchanges of non-public knowledge proceed regardless of the final result of Brexit.
“The ICO will carry on co-operating internationally to ensure protections are in place for personal data and organisations have the right advice and guidance,” she stated.