The Data Protection Commission have issued guidance on how businesses can prepare for a “no-deal” Brexit and ensure that the transfer of personal data to the UK, including Northern Ireland can be transferred legally.
Consider if your business is impacted if you transfer personal data to a UK based company for the following reasons:
- You outsource to a HR, IT, Payroll or Accountancy provider in the UK
- Your pension scheme is based in the UK
- You avail of insurance services from the UK
- You avail of training providers in the UK where employee personal data is transferred to them
- You are storing data in the UK on a server or in the cloud
These are just a few examples but your first step is to verify whether your business transfers personal data to the UK, including Northern Ireland.
Whilst it remains uncertain whether a “no-deal” will take place, businesses should prepare for that eventuality. The rest of this article will operate on the basis that a “no-deal” will happen and outline what businesses should do to prepare for it.
Currently the UK comes under the remit of GDPR but in the event of a “no-deal” the UK will no longer be a member of the EU and will become a “Third Country”. What this means is that the transfer of personal data will need to be treated in the same way as countries like Australia, India, Israel and so forth.
Businesses will need to ensure that there are specific safeguards to protect and legally transfer the personal data to a third country. These are called transfer mechanisms.
Some third countries have received an approved adequacy decision. What this means is that the EU has verified that particular third country has equivalent standards of data privacy to GDPR. The difficulty with the UK is that the EU cannot grant an adequacy decision until it is clear a “no-deal” takes place and then it could take up to two years for it to be approved. Businesses will not be able to rely on an adequacy decision to transfer personal data from Ireland to the UK.
The easiest option for small businesses is to use a transfer mechanism called Standard Contractual Clauses” (SCCs). The Data Protection Commission have just released a template SCC that businesses can use. The use of SCCs relates to data controllers and data processors. You would not use this for data subjects, e.g. customers or employees.
Businesses can complete the SCC and issue it to their UK data processor and once both parties sign and agree to it, a legal transfer mechanism is in place and the personal data can legally flow from Ireland to the UK. The Data Protection Commission give advice on how the template should be completed which you can read here.
Ibec have issued information and some useful links in relation to this which you can view here. We will continue to keep you updated on how to prepare for Brexit and GDPR and we will be issuing details of an event on this in the coming days.
We are working with the Data Protection Commission to create a list of FAQs so if you have any specific issues or scenarios please contact SFA Executive, Helen Quinn by 20 February on 01 605 1668 or firstname.lastname@example.org.