Wednesday, January 23, 2019
It remains to be seen whether the UK will ‘crash out’ of the EU when it leaves at 00.00am CET on 30th March, 2019. Should this happen, the UK will become a ‘Third country’ for the purposes of EEA personal data transfers. This means data that was once able to flow freely between the UK and EEA without any specific safeguards, will no longer be possible. This affects Irish (and European) businesses and organisations dealing with parties in the UK, including Northern Ireland. In light of recent guidance from the Irish Data Protection Commission (DPC) and the UK Information Commissioner (ICO), we explain below the main implications of a ‘no deal’ Brexit for organisations transferring data between Ireland/ the EEA and the UK, and the steps they should be taking in order to ensure that data can continue to flow. If your organisation uses a UK entity to provide any service, it is quite likely that a personal data transfer is taking place and plans should be made on how to deal with this in a no-deal scenario.
Steps to ensure data continues to flow
Transfers from the UK to Ireland / the EEA
Post-Brexit, the UK Government has said the UK will continue to acknowledge the EEA Member States as having an adequate level of protection for safeguarding personal data. This is welcome news if you are an Irish organisation receiving data from the UK, as that personal data can continue to flow freely from the UK to Ireland/ the EEA.
Transfers from Ireland to the UK
The DPC’s December guidance has indicated the next steps to take for Irish organisations transferring data to the UK:
Also, because both processors and controllers are required to implement appropriate safeguards, all kinds of organisations – including those with intra-group service arrangements and those with third parties – must make the necessary changes.
“Six Step Approach”
The ICO has designed a helpful ‘Six Steps to Take’ guide to help all organisations make the precautionary preparations that will help ensure data flows continue post-Brexit.
The status of Ireland-UK data transfers post-Brexit looks more uncertain than ever in light of the resounding defeat of Theresa May’s Withdrawal Proposal. Any development in the area could have a significant impact on data transfers and prudent precautions should therefore be taken. There will be a steady flow of information and guidance from the Irish DPC, UK ICO and the UK Government as the withdrawal date of 30th March edges closer, so be sure to check these sources regularly.
For more information on this topic, or if you have any questions relating to data transfers, please contact the Data, Privacy and Technology team at Philip Lee.