1st Aug 2019
Businesses should tread with caution where personal data is concerned
Data protection and data flow are not exactly top priorities for businesses or citizens when considering the impact of Brexit. However, the implications should not be taken lightly given that collecting and processing personal data is integral to the sustenance of many businesses. For many technology driven companies, personal data forms the backbone of the operations. The British government, in its endeavor to deliver a pain-free Brexit, is working hard to deliver guidelines for all major issues that could concern businesses and individuals. Data flow and data protection is no exception.
Currently, personal data is collected, used and transferred with minimal restrictions under common conventions on both sides – other EU countries and the UK. However, if the UK decides to part ways with the EU on 31 October without a formal agreement in place, the situation is bound to change and data flow and data protection could be subject to new laws and regulations.
The regulations governing collection and use of personal data are established at an EU-level through the General Data Protection Regulation (GDPR). It is a regulation in EU law governing the data protection and privacy for all individual citizens of the EU. It lists the safeguards for the protection of personal data and giving data rights. The GDPR also stipulates when and how personal data can be transferred abroad (data flow).
UK data protection laws are aligned with the EU via GDPR. Within the UK, the Data Protection Act 2018 and the GDPR together provide a comprehensive data protection framework. Similarly, most other countries in the EU have their own complementary legislations.
Once it leaves the EU (deal or no-deal), Britain is likely to be regarded as a third country. Consequently, transfer of personal data from businesses within the EU to other businesses in the UK will be subject to stern data transfer rules, as stipulated in the EU GDPR. Also, EU businesses will have to ensure their transfers to UK are legal.
UK to EU data transfers
According to Government sources, personal data transfers from the UK to EU member states will remain unaffected.
EU to UK data transfers
UK businesses receiving personal data of EU citizens should be prepared for the possibility of no-deal. In the initial stages of separation at the least, a burden for compliance with Articles 46-49 of GDPR can be expected on businesses transferring personal data to the UK.
For more information on personal data protection, businesses can refer to the Information Commissioner’s (ICO) guidance, particularly the ‘6 steps’ checklist on what leaving the EU may mean for an organisation.