Data Protection was not a large consideration for most UK citizens and businesses on the run up to the 2016 Brexit referendum, but their decision to leave the European Union, is causing much panic now for businesses transferring data to and from the UK. With 11% of global cross border data flowing through the UK, and a current lack of an adequacy agreement from the EU, an invisible trade barrier is emerging for many ICT and SaaS businesses.
Essentially, EU GDPR will expire within the UK at 11pm on 31st December 2020 and a new UK GDPR will be in place instead. However, all the main principles and obligations exist in both regulations. UK Personal Data protection legislation will therefore consist of UK GDPR, DPA & PECR, and Irish companies processing data on behalf of UK citizens will have to comply with each. Personal Data to EU countries from the UK will be sent under the new UK rules. However, data flowing from the EU to the UK may require additional controls through restricted transfers, as outlined below.
The UK is currently going through an adequacy assessment from the EU (which is intertwined with the ongoing Free Trade Agreement negotiations), but if this adequacy is not agreed, appropriate safeguards will have to be put in place to transfer personal data. If the transition period ends without adequacy, organisations based in the UK who need to maintain the free flow of personal data into the UK from Europe (or vice versa), should put in place a contract between receiver and the sender on EU-approved terms, known as standard contractual clauses (SCCs). These are the easiest ‘off the shelf’ solution to facilitate these international transfers of data. However, an alternative for multinational groups sending data between its entities is Binding Corporate Rules (BCRs), and current EU BCR’s will be recognised in the UK but require approval from the UK’s Information Commission Office. Other options exist also but are more complex, such as ad-hoc contractual clauses, enhanced codes of conduct, certification and even derogations. Professional legal advice is recommended for each of these solutions.
As a starting point, the UK’s Information Commission Office have published a tool for small and medium-sized businesses and organisations who need to maintain the free flow of personal data into the UK from Europe, which assesses the data protection risks within their supply-chain. This tool is available here: ICO Website
Since the UK Brexit referendum in June 2016, Arvo Procurement have worked with several thousand businesses on the island of Ireland about their Brexit challenges, plans and opportunities. In recent times, Arvo have published a free Brexit eBook, with this practical purchasing guideline provides essential support for businesses tackling the multi-headed monster created by Britain’s exit from the EU.
Mike McGrath is Managing Director of Arvo, which develops strategic sourcing techniques to reduce the costs and risks associated with Britain’s exit from the EU. This typically entails analysis, reporting and planning with clients to define appropriate sourcing strategies that will minimise interruption to their supply chains. Mike previously founded the eSourcing platform “supply.ie”, and since the UK Brexit referendum in June 2016, Mike has spoken to several thousand businesses on the island of Ireland about their Brexit challenges, plans and opportunities. Mike and the team at Arvo also published a free Brexit eBook and this practical purchasing guideline has provided essential support for businesses tackling the multi-headed monster created by Britain’s exit from the EU.