Brexit

Preparing for a no-deal Brexit - Data

Shane Carrick Shane Carrick

The restrictions in data flows caused by a hard Brexit have the potential to further add to the widespread product and service disruption across the UK and EU (including any supply chain component involving those territories).

If the UK leaves the EU without an agreement the UK will be treated by the EU as a “Third Country” for personal data transfers. Organisations in EU member states are restricted from sending personal data to “Third Countries” unless approved transfer methods are in place. These transfer methods take time and effort to implement.

  • Personal data sent from the EU to the UK - Must be legitimized through one of the available transfer methods as per GDPR
  • Personal data sent from the UK to an EU country – As with any transfer into the EU or indeed any personal data within the EU, it must be treated according to GDPR requirements once received.

What could this impact:

Area

UK Organisations impacted

EU Organisations impacted

Staffing / HR

Any staff residing in the EU or any HR service (or subcontracted service) within the EU

Any staff in the UK or a service provider e.g. payroll are located in the UK or have a subcontractor in the UK

Operations

Your operations may rely on using the EU for transport, or for an outsourced part of your business operations.

Your operations may rely on using the UK for transport, or for an outsourced part of your business operations

Vendors

You may obtain goods or services from the EU. Consider especially data centre or hosting services.

You may obtain goods or services from the UK. Consider especially data centre or hosting services.

Customer Relations

You will need to be clear about where your customers are, where their data is and what will be done with it

Understand Impact

  • Legal entities - You may need to re-organize your group structure to segregate data and thus it may be necessary to seek additional licensing.
  • Agreements - Agreements with customers may need to be amended to reflect the changing UK status. Vendor agreements will need to be supplemented.
  • Customer information – EU customers may need to be advised of the transfer of their data to a “Third Country”. Customers may have concerns about how their information is handled.
  • Time is short - Very little time remains to have these measures in place before the BREXIT deadline. Many of these mitigations take many months to implement.

Immediate Actions

  • Understand your data flows- Know where your data is going, how often and by what means.
  • Know your customers– Where are your customers? How will you handle their personal data in a compliant way?
  • Know your third parties – and theirs!- Consider which third parties are in the UK and which are in the EU. Also consider where their third parties and service providers are and if they will be impacted.
  • Determine your best course of action- Update your documentation at a minimum to incorporate the UK into Privacy Policies and agreements. Consider if you need to change away from UK or EU based companies.