Just when you thought it was safe to go outside again, that terrible B word rears it's ugly head once more.
The U.K.'s departure from the E.U. presents some challenges to how organisations manage their data transfers in and out of the U.K.. Many of the rules aren't new, especially as many of them are the same as they were under the Data Protection Act 1998 but our change in circumstances now means that some of the rules we didn't necessarily have to worry about before are coming into the fore. In this article, as part of my work with the Essex Chambers of Commerce, I'll be summarising what the steps are you need to take, why you need to take them, and what resources are available to help you.
Start at the beginning, what have you got and where is it?
If you are an organisation that only offers products to customers based in the U.K. and only uses systems and technology that is also based here, then for you us leaving the E.U. and what you need to do about your international transfers is pretty minimal to non-existant. But my question to you is this, how do you know you are 100% U.K. based? Your customer base is fairly obvious to work out which is fine, but do you know what systems your staff uses? Have you looked or asked where they physcally store your data? If not, before you put this issue to bed I would ask those questions if I was you. It's what you don't know that tends to bite you in the behind so find out what systems are being used and find out where the servers are that support them.
What happens if my personal data is leaving the U.K.?
Data Protection doesn't ban Personal Data leaving the country (contrary to some article stating that it does). Instead it establishes a set of rules for sending outside of the U.K., under a very similar principle of when you were a child if you wanted to ride a bike, you parents made sure you wore your helmet and made it abundently clear that you certainly didn't go out into the open road. Like all things in life, you can do it but with conditions.
Regardless of what sort of EU exit we have, if your data is being sent to any country in the European Econominc Area (EEA) (The EEA is the EU plus Iceland, Norway and Liechtenstein) or anywhere currently seen as a 'safe location' as outlined on the ICO's website then you can continue to do so for the forseeable future. Your transfer will still need to ensure it is compliant with the principles however these countries are seen as 'safe' and will continue to be by the UK Government post our departure from the E.U.
If your data is going to a country not on that list, then it is a little more complicated for you. In order to get the data out of the UK you need to ensure you have an 'appropriate safeguard' in place. These are there to attempt to offer the same level of legal and technical protection that data enjoys while being in the U.K.. Some countries (as examples) like India, China, Ghana, Australia etc either haven't yet applied to be seen as a 'safe location' or they have and so far the E.U. & U.K Governments have determined that their legal system and culture does not offer adequate protections for that data. Therefore additional ones need to be put in place but some form of legally binding framework.
There is detailed guidance on all the ways of getting data out of the U.K. on the ICO's website however for the purposes of this article I am focusing on Standard Contract Clauses (SCCs). What this requirement states is that where you are sending data to an entity in India (for example) that entity will sign a contract with you regarding that service/transfer of which a part or annex will contain a template set of legal wording that was produces by the European Commission. These terms in essence bind that entity to the same legal obligations that you are under as they come an enforceable part of your contract. There are a number of templates available but for the majority of what small & medium size businesses are doing, the Controller to Processor ones should suffice.
Once you have edited them to your needs and they are signed you are good to go. You will need to ensure you have ones in place to cover all your transfers and all your purposes for transferring data. If you are unsure if your contracts cover these off always seek advice.
What if I'm actually bringing data into the U.K.?
If you are, for example, offering services into the E.U. which means you have data now being used and stored over here there are a few things you will need to do based on what you are doing.
Where you are offering goods & services to E.U. citizens directly you are still directly bound by the GDPR (and not just the UK version of it) so you need to ensure that citizens are told their data is leaving the E.U. and ensure your grounds for processing are suitably managed (I.E. do you need consent, is it part of the contract etc?).
Where you are offering goods & services to E.U. based organisations that will have E.U. citizen data included then the entity you are doing business with will need to do the following with you;
- If we leave the EU with a deal, and as part of that deal we are still seen as a 'safe location' then they will simply need to ensure they have a robust Data Processing Agreement with you as part of the services contract.
- If we leave with no deal, and by default become a 'third country', that entity will need you to agree to the SCCs as outlined above. If those entities have not already contacted you about this, you may want to get in touch with them sooner rather than later about it. Again, as mentioned above, ignorance is no excuse and although you may just be a processor you are still responsible for ensuring that your processing of Personal Data is correct (and an invalid or missing DPA is a big black mark against that).
What resources are there around to help me?
The Bristish Chamber of Commerce has produced a numer of templates and documents to assist businesses in particular with various aspects of Brexit. These include;
- Brexit Checklist of things to start looking at (including Data Transfers).
- A Brexit Template Risk Register
These are available on the Essex Chambers of Commerce website along with summary guidance produce by us for the Chamber to assist you.
The Information Commissioner also has a web page with dedicated links and resources which is structured very similar to how I've structured this. Therefore, based on what you are doing there is specific guidance and resources available to support you.
You can also check out our website and get in touch for how we can help you navigate these waters and continue to run your ship!