Brexit Preparation: Get Personal Data Flows in OrderPrivacy Watchdog Orders Businesses to Prepare as UK Teeters on Edge of 'No Deal'
As the U.K. teeters on the edge of a "no deal" Brexit, U.K. Information Commissioner Elizabeth Denham has warned businesses to prepare. In particular, any organization that handles Europeans' personal data must ensure they have a legal transfer arrangement in place.
That's because the U.K. is set to "Brexit" the European Union on March 29, following 52 percent of U.K. voters in 2016 opting for the country to leave the EU.
Parliament, however, rejected the withdrawal agreement presented to it last month, which was negotiated by Prime Minister Theresa May. The Conservative Party leader still clings to power - seemingly because no one else wants the job - and has been ordered to return to Brussels and renegotiate some parts of the agreement, despite EU negotiators saying that it cannot be renegotiated piecemeal.
While that drama continues, the clock winds down. So it's possible that the U.K. will exit the EU without having secured a withdrawal agreement.
As a result, all U.K. businesses that transfer data to or from the European Economic Area - all EU countries as well as Iceland, Liechtenstein and Norway - must, per EU law, put in place additional measures. So says Denham, who heads the Information Commissioner's Office, which enforces U.K. privacy laws, including compliance with the EU's General Data Protection Regulation (see: Irony Alert, Brexit Britain: Comply With EU Privacy Law).
"Like everyone in the U.K. right now, we are following the twists and turns of the Brexit negotiations. The sharing of customers', citizens' and employees' personal data between EU member states and the U.K. is vital for business supply chains to function and public authorities to deliver effective public services," Denham says in a blog post.
"At the moment personal data flow is unrestricted because the U.K. is an EU member state," she says. "If the proposed EU withdrawal agreement is approved, businesses can be assured that personal data will continue to flow until 2020 while a longer-term solution can be put in place."
Map Data Flows
But if the withdrawal agreement is not approved, the U.K. will crash out of the EU without a deal, at which point, any U.K. business that handles EU personal data will need to have transfer arrangements in place that proves they're handling the data in a legal manner.
Step one for making that happen: Map data flows.
"The key question around the flow of personal data is whether your data is going from the U.K. to the EEA or exchanged both ways," Denham says.
Personal data can include names, addresses, emails and financial details, among other types of information.
Achieving clarity will be essential for ensuring that your organization complies with GDPR. "If you are unsure, start by mapping your data flows and establish where the personal data you are responsible for is going," Denham says.
Lack of 'Adequacy'
In the event of "no deal," there also won't be an "adequacy" agreement in place. Such an agreement would mean that the U.K.'s laws are seen by the EU as being good enough to comply with European law.
"Companies and organizations operating within countries with adequacy agreements enjoy uninterrupted flow of personal data with the EU," Denham says.
Unfortunately, no withdrawal agreement also means no adequacy agreement, at least not right away.
"An assessment of adequacy can only take place once the U.K. has left the EU," she says. "These assessments and negotiations have usually taken many months," she says. "Until an adequacy decision is in place, businesses will need a specific legal transfer arrangement in place for transfers of personal data from the EEA to the U.K., such as standard contractual clauses."
Keep Complying With GDPR
Any organization that handles Europeans' personal data can be audited by EU privacy regulators to ensure that they are adequately protecting the data as well as handling it in an approved manner (see: France Hits Google With $57 Million GDPR Fine).
EU data protection authorities can impose fines of up to €20 million ($23 million) or 4 percent of an organization's annual global revenue - whichever is greater - on any organization found to have violated GDPR. Regulators can also revoke an organization's ability to process individuals' personal data.
To help organizations comply, the ICO has published Brexit guidance, including sample standard contractual agreements.
'No Deal': International Security Risk
The implications of a "no deal" Brexit apply to much more than organizations' handling of personal data. May's government appears to have done little or no planning for a "no deal" scenario. Experts say the government has failed to stockpile food and essential medicine, which will be needed to avoid shortfalls due to the likely supply chain interruptions that will occur if the U.K. crashes out of the EU.
On Tuesday, Dan Coats, the U.S. Director of National Intelligence, testified before the Senate Intelligence Committee that a "no deal" Brexit poses a national security risk for the U.S. and its allies: (see Intelligence Chiefs Expect More Cyberattacks Against US).
"The possibility of a 'no-deal' Brexit, in which the U.K. exits the EU without an agreement, remains. This would cause economic disruptions that could substantially weaken the U.K. and Europe," Coats said.
"No deal" would also make it more difficult for the U.S. and its Western European allies to defend themselves against foreign actors, according to the U.S. intelligence community's new Worldwide Threat Assessment.
"The United Kingdom's scheduled exit from the EU on 29 March 2019, European Parliament elections in late May, and the subsequent turnover in EU institutional leadership will limit the ability of EU and national leaders to contend with increased Russian and Chinese efforts to divide them from one another and from the United States," the report says.