The DCMS and the ICO have both published guidance outlining the impact that a no deal Brexit will have on UK data protection and outlining steps that organisations can take to prepare for that eventuality.
The DCMS has published a snapshot of changes to data protection law that it calls the ‘no deal Framework. In brief:
– data controllers are reminded that their responsibilities will not change. The same GDPR standards will continue to apply in the UK and the Information Commissioner will remain the UK’s independent regulator for data protection.
– the UK will transitionally recognise all EEA states, EU and EEA institutions, and Gibraltar as providing an adequate level of protection for personal data, allowing free flow of personal data though adding that these decisions will be kept under review.
– the UK cannot provide for free flow of data into the UK for those that rely on data transfers from the EU will need to work with their EU counterparts to make sure an alternative mechanism for transfer (such as standard contractual clauses) is in place.
– existing EU adequacy decisions will be honoured on a transitional basis. Adequacy decisions are currently in place for: Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the United States of America (under the controversial Privacy Shield framework)
– provision will be made so that the use of Standard Contractual Clauses (SCCs) that have previously been issued by the European Commission will continue to be an effective basis for international data transfers
– existing authorisations of Binding Corporate Rules (BCRs) made by the Information Commissioner will continue to be recognised in domestic law. After Exit day the Information Commissioner will continue to be able to authorise new BCRs under domestic law.
– the Government intends to retain the extraterritoriality contained in the GDPR within the UK’s data protection framework so laws will apply to overseas controllers or processors where they are processing personal data about individuals in the UK for supplying goods and services and monitoring their behaviour. This includes controllers and processors based in the EU.
– a provision will replicate that in the GDPR requiring appointment of a representative so that controllers based outside the UK will need appoint a representative in the UK.
The full guidance can be read on the DCMS website.
Alongside that, the ICO has issued online guidance for organisations on what they will need to do.
In particular the International Transfers section of the guidance reviews the current thinking on the question of how EU parties may or may not be able to transfer data to the UK once we are a third party without the benefit of an adequacy decision.
That guidance is available on the ICO website.