Delphotostock - Fotolia

Prepare for no-deal Brexit, says ICO

The UK data protection authority is urging businesses to prepare for a no-deal Brexit to ensure there is no interruption in data flows from Europe

As the clock ticks down to the Brexit date of 29 March 2019, the prospect of the UK leaving the European Union (EU) without a deal becomes ever greater and businesses should ensure they are prepared for it, says Jonathan Bamford, director of strategic policy at the Information Commissioner’s Office.

While the UK government intends to seek an adequacy decision for the country, which would recognise the UK’s data protection regime as essentially equivalent to those in the EU, this will not be in place before Brexit, the ICO has warned.

“Some people think there is going to be some magic adequacy finding by the EC around 29 March,  but the EC and the UK government don’t think that is going to happen,” Bamford told a Westminster eForum event on GDPR practice in London. “So you need to think about what the situation will be if there isn’t an implementation period as the result of a withdrawal agreement – a no-deal Brexit – and you need to prepare for that.”

The government has made it clear that the General Data Protection Regulation (GDPR) will be absorbed into UK law at the point of exit, said Bamford, which means there will be no substantive change to the rules that most organisations need to follow. But he emphasised that organisations need to prepare for the possibility of a no-deal Brexit because there may be no adequacy agreement for some time.

“Organisations really need to have some thoughts on that and have some processes in place,” he said, not only for organisations that receive data from Europe, but also those that use cloud services based within the EU.

“Many organisations don’t realise that their cloud services are not based in the UK, and that could expose them to risk,” he added.

Barry Moult, director of BJM IG Privacy, said he thought he knew where all his organisation’s data was, but found out recently that a contractor had switched storage services to a cloud provider outside the EU without notifying him at the time.

“It turned out that they had being doing this for up to eight months before we happened to find out,” he told the Westminster eForum. “So I think there is a lot of work to be done around where data is stored and who has access to it.”

Linda NiChualladh, head of privacy, legal at Citi, said the banking group had renegotiated all of its data services supplier contracts for the GDPR in the light of Brexit. “But you can only do that if you know where your data is, which meant a huge emphasis on understanding data flow, which for most organisations has been a difficult challenge,” she said.

“For global organisations operating in multiple jurisdictions, you also have to have regard for how you transfer data within your organisation. It is not just about third-party data transfers, so you might have to look at whether your binding corporate rules stack up in the light of GDPR and Brexit.”

Bamford encouraged organisations to consult the dedicated data protection and Brexit page on the ICO website, which includes a Six steps to take guide, broader guidance on the effects of leaving the EU without a withdrawal agreement, and a general overview in the form of frequently asked questions.  

Read more about Brexit

According to ICO guidance, organisations that rely on transfers of personal data between the UK and the European Economic Area (EEA) will be affected by a no-deal Brexit. 

Personal information has been able to flow freely between organisations in the UK and the EU without any specific measures because of the GDPR, but this two-way free flow of personal information will no longer be the case if the UK leaves the EU without a withdrawal agreement that specifically provides for the continued flow of personal data.

In this event, the government has already made clear its intention to permit data to flow from the UK to EEA countries. But transfers of personal information from the EEA to the UK will be affected, the ICO has warned. Potential solutions include putting standard contractual clauses (SCCs) in place with organisations outside the UK.

Bamford said: “Because SCCs may come to the fore, there is a guidance to help organisations decide if that will work for them and there is also a new SCC generator to help organisations formulate the text they need.”

Chris Combemale, chief executive of the DMA Group, pointed out that articles 40 and 41 of the GDPR indicate a clear role for industry codes of conduct, backed by a robust co-regulatory enforcement mechanism.

“The regulation states that associations or other bodies representing categories of controllers or processors should be encouraged to draw up codes of conduct within the limits of this regulation so as to facilitate the effective application of this regulation, taking into account the specific characteristics of the processing area in certain sectors and the specific needs of micro, small and medium enterprises,” he said.

“Of particular interest is article 40 clause three, which states that international data transfers to third countries could be carried out under an industry code if there was no adequacy agreement in place.

“So, in other words, for marketing, if we had a code approved by the EDPB [European Data Protection Board], you could carry out your marketing data transfers and processing under that code in the absence of an adequacy agreement and as an alternative to SCCs, which is particularly urgent in the light of the fact that we may be heading for a no-deal Brexit.

“Therefore, it is very unfortunate that the EDPB has not yet started taking applications for industry codes or set out clearly the process for doing so, despite the fact that the direct marketing industry and many others are ready to implement such codes.”

Combemale added that the GDPR covers every aspect of the economy, and “only the experts in a particular field really understand how it applies to their particular sector”.

Industry codes important

Although there is no hope that there will be any approved industry codes by 29 March, Combemale said the codes are important in the longer term to take advantage of the fact that the GDPR allows for the possibility of co-regulation in the area of data protection which has not existed before.

“The ICO has a team looking at industry codes and we believe there is going to be a role for industry in interpreting GDPR and some level of cases may be handled under those codes with industry enforcement mechanisms, leaving national data protection authorities free to deal with the most difficult and complex cases that create the most harm for the most people,” he said.

Emily Sheen, manager, data protection strategy, legal and compliance services at PwC, said that although there was “no need to panic”, organisations do need to think about what a no-deal Brexit could mean for them in terms of their business data flows from the EU.

“Hopefully, most organisations have an idea about the data processing and sharing that is being done within the EU, but they need to be thinking about SCCs as an alternative way of enabling those transfers,” she said, adding that although SCCs are “not that difficult” to implement, organisations should be preparing to do so if the need arises.

“I would recommend that organisations should identify where their riskier or more important data transfers are, and have some plan in place to get those SCCs implemented in what may be a short space of time,” Sheen added.

Data flows under threat

Commenting on Brexit and data protection in the wake of the UK parliament’s rejection of the government’s Brexit deal, Eduardo Ustaran, co-director of the global privacy and cyber security practice at legal firm Hogan Lovells, said the deal would have meant business as usual in terms of data flows until the end of 2020 and “probably” data adequacy in the longer term.

“But with the increased possibility of a no-deal Brexit, data flows post-29 March are under threat,” he said. “Preparing for a no-deal Brexit requires identifying current and future EU-UK data transfers and urgently ensuring that UK entities become ‘safe importers’ of data in data transfers agreements.”

On top of that, Ustaran said UK-based providers of data processing services need to offer express contractual safeguards to meet European expectations, and onward transfers of EU data beyond the UK must be equally legitimised.

“So a no-deal Brexit definitely means more bureaucracy, not less,” he said. “And all of this at a time when UK data protection is already subject to GDPR rules and the scrutiny of the information commissioner anyway, so it is somewhat surreal that Brexit is affecting the freedom of movement of data between the EU and the UK at all.

“This is a clear example of how toxic a potential no-deal scenario has become and how it will impact the digital economy in the future.”

UK tech firms want to remain as close to the EU as possible and believe a second referendum on membership of the trading bloc would be the best way out of the current political stalemate, a survey has revealed.

More than 50% of respondents told TechUK that a second referendum would be their first choice in what should happen next. The next highest-ranked option was extending Article 50, with 16% naming this as their first choice.

Read more on Privacy and data protection