ICO publishes no deal guidance on data transfers

13 Dec 2018 02:30 PM

The ICO has provided additional information on how international data transfers will be impacted if the UK leaves the EU without a deal in March 2019.

The Information Commissioner’s Office (ICO) has today published additional guidance for businesses about the impact on data transfers in the event of the UK leaving the EU with no deal in March 2019. The guidance follows a planned amendment to the Data Protection No Deal Technical Notice published by the Government.

Personal data is able to flow freely among EU (and EEA) Member States as they all are part of the same data protection framework, however once the UK leaves the EU, it will be leaving that framework and the automatic ability for data to flow between the UK and EU will come to an end. There are mechanisms to facilitate data transfers, set out in the EU’s General Data Protection Framework. techUK has previously published information on the impact of the UK leaving the EU on data protection and data transfers. You can see techUK’s report ‘No Interruptions’ which sets out the impact and possible solutions here.

techUK supports the commitments reached in both the Withdrawal Agreementand the Political Declaration on the Future Relationship, agreed between the UK Government and European Union, which would see continued free flow of data during the transition period and a commitment for both the UK and EU to agree adequacy agreements by the end of the transition period which would allow the continued free flow of data.

However, while it is not the intention of the UK Government to leave the EU with no deal next year, it is important that businesses are able to plan for all possible eventualities, and so this additional guidance from the ICO is welcome, which provides further clarity around the types of arrangements businesses might need to implement when transferring data from the UK to the EEA, EEA to the UK and from the UK to other non-EEA countries.

The ICO’s guidance takes the form of four elements:

• A Six Steps To Take Guide
• Detailed guidance on impact of leaving EU with no withdrawal agreement
• FAQs
• Interactive online tool/guide to implement Standard Contractual Clauses (SCCs) 

Commenting on the guidance, Elizabeth Denham, Information Commissioner, said:

“The basis on which the UK will leave the EU has still to be decided. The Government has made clear that GDPR will be absorbed into UK law at the point of exit so there will be no substantive change to the rules that most organisations need to follow.  But organisations that rely on the transfers of personal data between the UK and the European Economic Area (EEA) may be affected. 

“Personal information has been able to flow freely between organisations in the United Kingdom and European Union without any specific measures as we have had a common set of rules - the GDPR. This two way flow of personal information without specific measures will no longer be the case if the UK leaves the European Union without a withdrawal agreement that specifically provides for the continued flow of personal data.”

If you would like to find out more about techUK’s work on data protection and the impact of Brexit on international data transfers please contact Jeremy Lilley.