On 29 March 2019 the UK is currently set to leave the European Union and there is an increasing danger that it will do so on a "no deal" basis.
The Irish Data Protection Commission and its UK equivalent, the Information Commissioner's Office, have both set out guidance on what companies should do if that becomes a reality, which is available on their websites.
Below we have highlighted the main implications of a "no deal" Brexit for businesses transferring personal data between Ireland and the UK, and the precautionary measures companies should be putting in place in order to ensure that personal data flows are not interrupted.
The Data Protection Act 2018, incorporating the GDPR (“DPA”) sets out a number of approved mechanisms which can be used to transfer personal data to a third party, in a country outside the EEA, which has not been deemed by the European Commission as providing "adequate" protection for personal data.
While the UK has sought an "adequacy" decision, the European Commission has stated that it is not in a position to consider such an application before the UK leaves the Union.
Therefore from 00.00 a.m. CET on 30 March 2019, in the absence of a Brexit "deal", the UK will be considered a third country without adequate protection.
Companies in Ireland transferring personal data to the UK after that time will need to have an approved mechanism in place in order to comply with the DPA.
The most widely used of such mechanisms, and possibly the easiest to implement, are the Standard Contractual Clauses (“SCCs”) also known as the Model Clauses.
These are a set of terms agreed by the European Commission, which effectively oblige the recipient of personal data to protect it on the same basis as if that party was directly bound by the EU legislation.
Take Action Now
To ensure that you continue to comply with the DPA in respect of personal data transfers to the UK, we have set out a number of actions below which we would recommend you consider:
- Conduct a data mapping exercise to capture any personal data being transferred to companies in the UK. Examples include using a UK based third party service provider, or cloud storage provider, but also transferring such data to a UK subsidiary or affiliate.
- Determine if any transfers identified as part of the mapping exercise need to continue after Brexit.
- If the answer is yes, consider which approved mechanism, such as SCCs, best suits your circumstances and work towards having it in place by 30 March.
Transfers of Personal Data from the UK to Ireland
Note, the UK Government has stated that it will transitionally recognise the remaining EEA Member States as having an adequate level of protection for personal data. This means that personal data can continue to flow freely from the UK to the EEA (including Ireland).
Therefore Irish businesses receiving personal data from the UK can continue to do so after Brexit, and do not need to take any action.
Maples is assisting clients in considering measures that they should take to ensure compliance with the DPA when transferring personal data between Ireland and the UK following a no deal Brexit.
In most cases, this will include:
- Assistance in conducting the necessary data mapping exercise;
- Advising on the SCCs and other mechanisms available to ensure compliance with the DPA; and
- Assisting with the implementation of the appropriate mechanism.