U.K.-based businesses should take extra precautions to lawfully transfer personal data across the European Economic Area if Parliament rejects the Brexit deal next month, the U.K.’s privacy office said.
The Information Commissioner’s Office (ICO) released guidance Dec. 13 advising companies to put standard contractual clauses in place, and assign a representative to an EU or EEA state, where individuals whose personal data they’re processing are located.
Under the U.K.’s proposed divorce agreement with the EU, U.K. companies would continue to trade personal data freely across the EEA, which includes the EU as well as Iceland, Liechtenstein and Norway, until at least the end of 2020. But if lawmakers oppose the deal in a crucial January vote, the U.K. risks leaving the bloc on March 29, 2019 without a deal.
“In this event, the government has already made clear its intention to permit data to flow from the UK to EEA countries. But transfers of personal information from the EEA to the UK will be affected,” Information Commissioner Elizabeth Denham said in a blog announcing the guidance documents.
U.K. lawmakers are also discussing whether to try to renegotiate the Brexit deal or hold a second referendum.
“Data underpins the modern economy and businesses of all sizes depend on the free flow of information,” George Bush, a spokesman for business lobby group the Confederation of British Industry, told Bloomberg Law. “This guidance provides a trustworthy source of information for businesses to check and prepare their everyday operations.”
Giles Derrington, head of policy at techUK, which represents 900 tech firms, also welcomed the advice.
“Too many businesses, across all sectors, remain unprepared for the impact no deal would have on their ability to transfer data,” Derrington said in an emailed statement. “This guidance should help focus minds on the practical steps that businesses need to take.”
Companies seeking to make transfers of data from the U.K. to markets outside the EEA, called “restricted” transfers, should use European Commission-approved standard contractual clauses, the ICO said in its guidance.
Standard contractual clauses contain contractual obligations on both the U.K. business and its EU partner and rights for the individuals whose personal data is transferred, the ICO said.
Companies that make restricted data transfers within a corporate group or to a group of overseas service providers should also consider binding corporate rules as a way of providing appropriate safeguards, the regulator said.
The ICO advised companies with existing binding corporate rules to update them so that the U.K. is listed as a third country outside the EEA.
Under a no-deal Brexit, U.K. controllers and processors would no longer be considered part of the EEA. Companies would need to establish a representative within the EEA, as required under the EU’s General Data Protection Regulation rules.
Companies with pan-European operations would need to reconsider their choice of lead EU supervisory authority to use if they use the U.K.’s ICO as their lead regulator.
Under the EU’s One Stop Shop, EU-based businesses can choose to deal with a single European authority to avoid spending time and money to deal with several authorities at once. But companies would lose that privilege if the U.K. leaves the EU without a deal, the regulator said.
“This could significantly affect your business and the resources you need to deal with enquiries from various European data protection authorities,” the ICO said.