In preparation for a possible no-deal Brexit, the UK Government has published guidance about how this will affect data protection. The EU uses a mechanism called an adequacy decision to allow the free flow of personal data to countries outside the EU. BH Consulting CEO Brian Honan has identified the key section of the UK guidance if there is no adequacy decision regarding the UK post-Brexit.
The UK Government said that it needs to prepare for all eventualities, including a no deal scenario in March 2019. As the date nears, preparations for a no deal scenario are speeding up but London insists this doesn’t reflect current discussions between the UK and the EU. “Such an acceleration does not reflect an increased likelihood of a ‘no deal’ outcome. Rather it is about ensuring our plans are in place in the unlikely scenario that they need to be relied upon,” the Government said.
The full guidance is here. Brian says the key section in the event of no adequacy decision is this one:
“For the majority of organisations the most relevant alternative legal basis would be standard contractual clauses. These are model data protection clauses that have been approved by the European Commission and enable the free flow of personal data when embedded in a contract. The clauses contain contractual obligations on you and your EU partner, and rights for the individuals whose personal data is transferred. In certain circumstances, your EU partners may alternatively be able to rely on a derogation to transfer personal data. We recommend that you proactively consider what action you may need to take to ensure the continued free flow of data with EU partners.”
Back to the BCRs
Brian Honan interprets this section as applying to all data travelling from the EU into a client’s operations and/or to third party providers or partners based in the UK. “Note the above talks about model data protection clauses but many experts say these will not suffice and we will need to look at binding corporate rules (BCRs) instead,” Brian said.
BCRs are the internal rules for data transfers within multinational companies, as explained by the European Commission. The Irish Data Protection Commissioner also has a brief explanation of BCRs.
Earlier this year, Brian wrote an article for the Irish Independent about data protection in a post-Brexit Britain. He pointed out that GDPR will remain in effect until March 2019 no matter what happens after that date. Stay tuned to our blog for more news about data protection, privacy and GDPR in the weeks ahead.