Since a no-deal Brexit is starting to look more and more likely, the UK government recently released additional guidance to supplement the ICO’s (Information Commissioner’s Office) previous description of the future data protection regime.
The government has stated that it will permit data to flow from the UK to EEA (European Economic Area) countries, but organisations that have data flows from the EEA to the UK will be affected.
It stated: “The EU (Withdrawal) Act 2018 (EUWA) retains the GDPR in UK law. The fundamental principles, obligations and rights that organisations and data subjects have become familiar with will stay the same. To ensure the UK data protection framework continues to operate effectively when the UK is no longer an EU Member State the Government will make appropriate changes to the GDPR and the Data Protection Act 2018 using regulation-making powers under the EUWA.”
As a result, the ICO recently issued a statement to recommend standard contractual clauses for all transfers of personal data to any country outside the EEA. Organisations that rely on binding corporate rules will receive further information from the ICO in due course.
In addition, the government has issued a statement about plans that will be issued in the next few weeks around changes to the implications of the GDPR and the Data Protection Act 2018.
The new regulations and detailed guidance will:
- Preserve the GDPR in local law;
- Confirm that the UK will transitionally recognise all EEA countries (including EU Member States) and Gibraltar as ‘adequate’ to allow data flows from the UK to Europe to continue;
- Preserve the effect of existing EU adequacy decisions, including the EU-US Privacy Shield, on a transitional basis;
- Preserve EU standard contractual clauses and binding corporate rules authorised before Exit Day;
- Maintain the extraterritorial scope of the UK data protection framework; and
- Require non-UK controllers that are subject to the UK data protection framework to appoint a representative in the UK if they are processing UK data on a large scale.
Moreover, the ICO has advised organisations that do not have the UK as their lead supervisory authority to review the structure of their EU operations and assess whether they will continue to be able to have a lead authority and benefit from the one-stop-shop mechanism.
Organisations will have to deal with both the ICO and the supervisory authority in the other EEA state where they are established, according to the ICO.
The ICO says “organisations should consider now which other EU and EEA supervisory authority will become lead authority on Exit date (if any) and approach them closer to the exit date.
“On Exit, the ICO will not be a supervisory authority for the purposes of the EU GDPR and so will not be an EDPB member.”
Need to assess your GDPR compliance posture? Find out about our new GDPR Audit Service >>>