August 29th, 2019

Data protection in the event of a no-deal Brexit

If the UK exits the EU on 31st October 2019, it would technically mean that all data transfers between the EU and the UK must cease with immediate effect come midnight on that date. This would be the case until one of the following three mechanisms available for transferring data to countries, which are not considered to offer adequate protection of individuals’ data, has been put in place:

1. Binding Corporate Rules

These rules are suitable for large multinational corporations as these cover intra-organisational data transfers of personal data across borders.

2. Derogations

Derogations (an exemption from or relaxing of the law) should be applied restrictively and are only suited to processing, which is occasional and non-repetitive.

3. Standard Data Protection Clauses

For most small to medium-sized companies, these clauses are likely to be the preferable, or indeed only, option for ensuring that data can continue to flow between the UK and the remaining EU member states. However, it is important to note that these must not be modified and must be signed as provided. While they can be added to a wider contract, or have additional clauses added to them, care must be taken to ensure the standard clauses are not contradicted. Another key element to highlight is that these clauses will always be governed by the laws of the Member State in which the EU-based party is based.

When considering what steps to take in order to keep making international transfers of data, it is worth assessing current relationships with other parties. Is your company the controller of the data transfers, or the processor? Ultimately, the onus to ensure the transfer is legally permissible is with the controller. Having said that, Goodwille strongly recommends clients to adopt a proactive approach. It may be appropriate for a processor to be the driving force behind putting one of the three above-discussed mechanisms in place. This should be done by the 31st October 2019, regardless of the outcome of the Brexit negotiations.

Do you have any questions about how a no-deal Brexit might affect your business’s data protection and how you ought to prepare? Do not hesitate to contact us – we’d be happy to answer any questions you may have.

This update is for general guidance only. Specific legal advice should be obtained in all cases. This material is the copyright of Goodwille Limited (unless otherwise stipulated) and is not to be reproduced in whole or in part without prior written consent.