The Information Commissioner’s Office has urged British businesses to review how they handle personal data in the run up to a possible no-deal Brexit.
Following a week of political turmoil, the data protection watchdog warned that a chaotic departure from the EU would impact transfers of data between the UK and the European Economic Area.
While the government’s proposed withdrawal agreement allows for the current data transfer regime to continue, Theresa May’s chances of securing parliamentary backing for the deal appear to be dwindling.
In the event that the UK leaves without an agreement, the government has said it will continue to allow data to flow from Britain to EEA countries – but transfers in the opposite direction “will be affected”, the ICO has stated.
In a blogpost, the information commissioner Elizabeth Denham said that “organisations will need to carefully consider alternative transfer mechanisms to maintain data flows”. “The guidance we have produced will help you weigh the options and take action if this proves necessary.”
The ICO has published a series of documents, including a six step guide, aimed at informing businesses about the measures they should be taking ahead of 29 March – the date the UK is expected to leave the EU.
If a UK business wants to share data outside of the EEA and there is no adequacy deal covering the transfer, it may need to put in place a standard contractual clause between itself and the recipient of the data. The ICO has developed an interactive tool to guide the use of SCCs.
Cloud computing is one area which may present issues for businesses. If a UK organisation is processing European citizens’ data and hosting them in an overseas data centre managed by a third-party cloud service provider, the ICO says it should assess its arrangements.
Giles Derrington, the head of policy at trade body TechUK, said that too many businesses “remain unprepared for the impact no deal would have on the ability to transfer data. This guidance should help focus minds on the practical steps that businesses need to take.”
“TechUK remains convinced that adequacy agreements between the UK and the EU are the most suitable way of maintaining data flows, and was pleased to see commitments from both the UK and EU in the political declaration to reach adequacy agreements by the end of the transition period, should the Withdrawal Agreement be agreed.
“However, this additional clarity from the ICO about the steps businesses can take to facilitate data transfers if there is no deal is welcome, techUK urges all businesses to use this information to make sure that they are as prepared as possible should a no deal occur in March 2019.”