The debate over Brexit is raging in Parliament. The outcome will have far-ranging impacts across the UK. If your business either sends personal data to another EU country or operates in the European Economic Area (EEA), there will be additional considerations for organisations. As no firm decisions have been made on Brexit, businesses in the UK will need to have provisions in place for both outcomes.
At the moment, data flows freely between the UK and EU since the UK is still a member state. That could all change based on the outcome of Brexit.
Although some scenarios might seem unlikely, given the existence of local laws and regulations such as the Data Protection Act, businesses in the UK will need to prepare for all outcomes. Here are two possible outcomes as a result of the UK leaving the EU:
Brexit Deal (Includes Adequacy): A deal to bring the UK out of Europe with an adequacy agreement in place ensures the secure third country status. This agreement and status will not automatically mean that organisations and businesses based in the UK will be deemed to have adequate security measures in place to protect the rights and freedom of EU data subjects. Additional thought should still be given to the legality of the data transfers and other applicable legal requirements.
No Brexit Deal: (Without Adequacy): In the event of a No Deal Brexit and no adequacy agreement, there will remain uncertainty about secure-country status. If UK is deemed an insecure third country, the following GDPR Articles and stipulated requirements could be directly impacted:
- Art. 40 GDPR Codes of conduct
- Art. 42 GDPR Certification
- Art. 44 GDPR General principle for transfers
- Art. 45 GDPR Transfers on the basis of an adequacy decision
- Art. 46 GDPR Transfers subject to appropriate safeguards
- Art. 47 GDPR Binding corporate rules
- Art. 48 GDPR Transfers or disclosures not authorised by Union law
- Art. 49 GDPR Derogations for specific situations
- Art. 63 GDPR Consistency mechanism
In the unlikely scenario of the UK becoming an insecure third country, additional measures to attain a status of adequacy (organisational) may be required. It is recommended that organisations and businesses in the UK prepare for all scenarios given the great deal of uncertainty the UK currently faces.
Reduce Your Uncertainty
Professional consultants can be the solution to the dilemma of not having enough knowledge and expertise to handle the latest regulations. Cipher provides an array of GDPR assessment and consulting services to help customers gain a holistic view of their state of compliance.