We need to talk about Brexit. And GDPR. Yes, again.
If you are still reading this article, you must be serious about making provisions to aid the continuity of your business. There are some short and inexpensive ways to get there.
Where we are now
At the moment, data flow between the UK and the EU is largely unrestricted because we have all adopted the same data safeguards under the General Data Protection Regulation (GDPR). When the accompanying UK Data Protection Act came into force in spring 2018, the intention was to have one further piece of legislation to deal with practical issues prior to our exit from the EU on 29 March. However, in the event of a hard Brexit chances are high that this legislation won’t be in place yet. So what impact will that have on UK trade?
It is not about whether you are exporting or importing goods or whether you provide services to EU nationals. It is all about whether you process and, more importantly, import personal data.
If you do not process personal data of individuals outside the UK
You do not need to make any changes as a result of Brexit. You do of course need to make sure that your business is compliant with the GDPR standards as implemented by the 2018 Data Protection Act. Those standards will remain in force post Brexit. The UK data regulator, the Information Commissioner (ICO), clearly intends to sanction businesses in breach of these standards, and even prosecute them using alternative legislation in order to impose a longer period of imprisonment. These standards should already be in place in your organisation, and if they are, there is nothing further to do.
If you transfer personal data from the UK to the EEA
The Government has stated that those data flows should remain unaffected even in the event of a hard Brexit. Your EU business partners will be concerned with the standards under which they hold the data but not those applied in its source country.
If you import personal data from EU countries
You need to look at your contracts. Whilst it is anticipated that the EU will issue a so called “adequacy decision” recognising the equivalence of UK data standards, in the event of a hard Brexit that decision may well not be immediate. If your existing contractual obligations require you to adopt GDPR safeguards, or clients question how you will remain GDPR compliant in the interim, your go-to solution is the “standard contractual clauses”.
The standard contractual clauses, if inserted into the data provisions of a contract unamended, are recognised by the EU as providing equivalent data safeguards to its own standards. The clauses are available on the Information Commissioner’s Office website at www.ico.org.uk.
Will the standard contractual clauses help?
Whilst businesses had hoped to avoid the need for additional measures, having only just invested in becoming GDPR compliant, adding these clauses will be at a limited cost and, from recent evidence, of significant benefit in retaining business. Recently, when businesses were carrying out due diligence on those with whom they share their data in readiness for GDPR implementation, those sharing with US organisations realised that for many there was a lack of similar safeguards and started moving their business to European companies instead. In order to stem the flow away from the US, many more organisations amended their contracts to include the US Privacy Shield standards, thereby applying safeguards recognised by the EU. These contractual amendments had a significant impact on the US companies’ ability to retain business - and the standard contractual clauses available from the ICO offer a similar benefit.
Deal or no deal, there is still time – 29 days, or 21 working days to be precise - to review and amend your contracts before Brexit. The cost? Minimal. The benefit? Significant.