Companies in Ireland should consider what legal tools they might use to transfer data if the U.K. leaves the EU without a withdrawal agreement, the Irish privacy authority has said.
The U.K.'s status as a “third country” outside the EU would “have repercussions for all organizations and bodies trading with or doing any other kind of business or correspondence with entities in the UK, including Northern Ireland,” the Irish Data Protection Commission said Dec. 21 in preliminary guidance on its website.
Companies that transfer data to the U.K. should consider mapping the personal data currently being moved and deciding whether to continue those transfers post-Brexit, the regulator said. Companies should determine the best legal mechanism to use for transferring data—and have it in place before March 30, it said. The U.K. is set to exit the EU March 29, 2019.
An Irish company that outsources its payroll to a U.K.-based data processor, or an Irish government body using a cloud storage provider in the U.K., for example, would need legal mechanisms to keep doing business in the event of a no-plan Brexit, the office said.
One common alternative way to move data would be through the use of standard contractual clauses that spell out terms and obligations between data exporters and importers, it said.
U.K. companies could freely move data across the European Economic Area, which includes the EU and Norway, Iceland, and Liechtenstein, until the end of 2020 under a pending U.K.-EU agreement. But British lawmakers could vote that down in January, leaving the U.K. open to withdrawing from the EU with no deal in place—an option that would cast businesses who rely on moving data between the entities into uncertainty.
U.K. Information Commissioner Elizabeth Denham said in a blog post earlier this month that even if U.K. companies can move data across the EEA, data moving the other way would be affected if there’s no Brexit deal or alternative for governing the transfer.