As we know, GDPR regulations govern how data related to EU citizens is handled.
When the UK quits the EU – particularly in the event of a ‘no deal’ Brexit – the EU will have to separately approve the UK as a destination with appropriate safeguards in place before data can be freely transferred. This approval is highly unlikely to be granted any time soon.
UK companies wishing to transfer personal data from the EEA to the UK after Brexit are likely to require additional measures to remain GDPR-compliant. These measures are likely to include the inclusion of certain contractual clauses within data agreements.
The ICO has compiled a useful tool for small and medium-sized businesses and organisations based in the UK who need to maintain the free flow of personal data into the UK from Europe, in the event the UK exits the EU without a deal.
In addition, a number of US-based cloud service providers are GDPR-compliant because of their participation in ‘Privacy Shield’ provisions. These provisions define interactions with EU entities. When the UK exits the EU, unless Privacy Shield members update their privacy statements to include a newly standalone UK, transferring personal data to them might become technically non-compliant for GDPR purposes. Read more here.
Further ICO guidance on personal data use following Brexit can be found here.
To discuss the issues highlighted above contact Steven Godfrey.
The information contained in this article is for discussion purposes only. Auditel does not offer regulatory or legal advice and qualified professional guidance should be sought where appropriate.