With fewer than 40 days to go before Brexit is scheduled to take place in this week’s blog I will outline the standing positions of the regulatory bodies in the UK and in Europe. My hope is to help you understand how Brexit will impact UK companies in the marketing and data sectors and our partners in Europe.
The DMA is opposed to a no-deal Brexit because it would raise unnecessary barriers to the free flow of data between the EU and UK. The DMA stresses that as personal data is the lifeblood of cross-border EU-UK trade in advertising and marketing, it is imperative that Members of Parliament work to prevent a no-deal Brexit and ensure that the free flow of personal data between the EU and UK is maintained.
But, to help you prepare, they have created a Brexit Toolkit – helping businesses to plan for every eventuality. The Toolkit includes tools to help identify the policy areas that are relevant to your business and, therefore, the tasks you should prioritise.
The Information Commissioner’s Office (ICO) also offers advice for organisations to prepare for a no-deal Brexit. The ICO states that the Government has made clear that the General Data Protection Regulation (GDPR) will be absorbed into UK law at the point of exit, so there will be no substantive change to the rules that most organisations need to follow.
However, organisations that rely on the transfers of personal data between the UK and the European Economic Area (EEA) may be affected. Personal information has been able to flow freely between organisations in the UK and European Union without any specific measures. That’s because we have had a common set of rules - the GDPR.
But this two-way free flow of personal information will no longer be the case if the UK leaves the EU without a withdrawal agreement that specifically provides for the continued flow of personal data.
If there is a hard Brexit, the Government has already made clear its intention to permit data to flow from the UK to EEA countries. But transfers of personal information from the EEA to the UK will be affected.
The ICO has issued a “Six Steps to Take” Guide designed to help all organisations make the precautionary preparations that will help ensure that data flows continue, as well as broader guidance on the effects of leaving the EU without a withdrawal agreement.
The ICO Six-Step Guide highlights the following areas:
·Continue to comply - Continue to apply GDPR standards and follow current ICO guidance. If you have a DPO, they can continue in the same role for both the UK and Europe.
Transfers to the UK - Review your data flows and identify where you receive data into the UK from the EEA. Think about what GDPR safeguards you can put in place to ensure that data can continue to flow once we are outside the EU.
Transfers from the UK - Review your data flows and identify where you transfer data from the UK to the EEA, or to countries outside the EEA, so that you can document the new basis for those transfers under UK transfer rules
·European Operations - If you operate across Europe, review your structure, processing operations and data flows to assess how the UK’s exit from the EU will affect the data protection regimes that apply to you.
Documentation - Review your privacy information and your internal documentation to identify any details that will need updating when the UK leaves the EU.
Organisational awareness - Make sure key people in your organisation are aware of these key issues. Include these steps in any planning for leaving the EU and keep up to date with the latest information and guidance.
It is clear that there are guidance and tools out there for the preparation for Brexit. We should all be preparing for the next 40+ days.
And, if you’re too busy running your business to focus on data practices and compliance, we can help.
Savinder Lefevre
Comments