The Information Commissioner’s Office are expecting organisations to “prepare for all scenarios”, including planning for the United Kingdom leaving the European Union with no deal. We have been closely following these developments and have planned accordingly.
These plans are administrative and will not impact our operations, service delivery, or safe-keeping of data in any material way. We expect regulators to act proportionately whatever the outcome.
We will provide further guidance here as the situation becomes clearer.
On Exit Day
The EU General Data Protection Regulations (GDPR) have already been enacted in UK law under the Data Protection Act 2018.
On exit, the Withdrawal Regulations will become law, and change the EU GDPR to the UK GDPR in this Act.
The EU GDPR will still exist and the UK will immediately be considered a third country, and will not be formally recognised as having an ‘adequate’ data protection environment.
If there is “no deal”
Under a “no deal” scenario, there are some changes to data transfers that we will make:
Where we handle personal data of EU citizens
We will be ensuring suitable protections are in place. This will include establishing Standard Contractual Clauses with entities transferring data to us, and providing a dedicated representative inside the EU.
Where we transfer UK or EU personal data to non-EU countries
We are reviewing and ensuring all transfers we make to non-EU countries will still be in compliance. This will affect some of the contracts we have in place under US Privacy Shield terms.
Where we transfer UK personal data to EU countries
The UK Government has said it will not impose any restrictions on these transfers. Our transfers of data in to the EU from the UK will remain unaffected.
If there is a deal
The earlier Withdrawal Agreement contained a transition period until at least December 2020.
If this Withdrawal Agreement (or a variation of it) is implemented, we believe that this would provide sufficient time for an adequacy decision to be reached.