Personal data transfers across international borders: What changes with Brexit?
There’s a lot of uncertainty about how and when the UK will leave the EU. This blog and downloadable guide help businesses prepare for handling personal data in the event of a no deal.
Businesses moving personal data in or out of the UK currently do so under the EU’s General Data Protection Regulation (GDPR) and UK Data Protection Act 2018. The GDPR offers harmonised data protection rules, and regulates data transfers from the EU to the rest of the world.
If the UK leaves the EU without agreeing arrangements for data protection – ie: in a no deal Brexit – there would be no immediate change in the UK’s own data protection standards. This is because the Data Protection Act 2018 would remain in place and the EU Withdrawal Act would incorporate the GDPR into UK law to sit alongside it. However when organisations transfer data into the UK, there are some changes you need to be aware of.
We’ve been in contact with the Department for Business, Energy and Industrial Strategy and have produced a downloadable guide to help businesses prepare in the event of a no deal exit from the EU. The key points are summarised below.
Regardless of whether your business is affected, we would strongly urge you to review how you transfer personal data. Nearly one year on from when the GDPR came into force, there are still many businesses out there emailing personal data, using consumer grade transfer tools and other processes that risk a compliance breach.
- The same stringent regulation will remain in place to protect UK residents’ personal data being transferred to the countries either within the European Economic Area (EEA) or beyond.
- Organisations based in the EEA can transfer data to the UK, as long as they make alternative safeguards in line with GDPR.
- Organisations elsewhere in the world will need to comply with their own data protection regulations in order to transfer data to the UK. Arrangements are being made with countries who have an EU adequacy agreement (deemed adequate), but if countries don’t deem the UK adequate by the time we leave the EU they will need to make use of alternative mechanisms in their own law in order to continue to transfer personal data to the UK.
- There are specific recommendations for UK businesses providing goods or services in the EU/EEA but without a presence in an EU Member State, or with headquarters in the UK but with operations in the EU and processing personal data across EU/EEA borders.
For more information, download the resource – Data protection guidelines for businesses in a no-deal exit from the EU – from the Pro2col resource portal.
If you have any questions about how to transfer personal data, our experts can help you. Get in touch now to arrange a call. We have been providing secure data transfer solutions to businesses for over 15 years, transforming their infrastructure, increasing productivity, collaboration, data security and streamlining processes.