With summer firmly behind us we are fast approaching 31 October, a date which is traditionally known for being the scariest date of the year. At the forefront of this Halloween comes Brexit with all the commercial challenges and opportunities that it brings. The UK government is anxious to retain the UK’s reputation as a major business hub but facing the reality that the UK may leave the EU without a deal, small and medium businesses have to consider what (if any) actions have to be taken with regards to data protection, specifically personal data.
The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest and data privacy for individuals. The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the General Data Protection Regulation (GDPR), the Freedom of information Act (FOIA), Environmental Information Regulations 2004 (EIR) and Privacy and Electronic Communications Regulations 2003 (PECR).
Personal data is information that relates to an identified or identifiable individual which includes a name, number, or IP address amongst other things. Basically, if it’s possible to identity the individual from the information you have, then there is a strong chance that it is personal data. This includes any information relating to sole traders, employees, partners and company directors where they are identifiable and where the information relating to them as an individual may form personal data.
The sharing of customer’s individual and employees’ personal data between EU member states and the UK is imperative for business supply chains to work and for public authorities to produce effective public services. Personal data flow is currently unrestricted because the UK is an EU member state. In the event of a no deal, EU law will require additional measures to be put in place when personal data is transferred from the European Economic Area (EEA) to the UK in order to make them lawful.
The ICO has issued guidance for small and medium organisations to prepare for the event that the UK leaves the European Union with no deal. The reality is that most of the data protection rules will stay the same but if you are a UK business or organisation that receives personal data from contacts in the EU, you will need to ensure that you are able to continue a data flow post Brexit. Furthermore, if you are a business or organisation with an established presence in the EU, you will need to comply with both UK and EU data protection regulations after Brexit. Action is needed now to ensure the continued flow of personal data between EEA personal data exporters and UK personal data importers post-Brexit. For instance, a conditionality clause can be included in agreements to ensure data flows can continue without interruption when the UK leaves the EU.
Whilst the government plans to incorporate GDPR into UK law alongside the Data Protection Act 2018 after Brexit, small and medium organisations are best placed to take steps to ensure they are fully GDPR compliant before 31 October 2019. This will put them in the best position to comply with steps that emerge post Brexit.
For more information on the prevalent points of GDPR please refer to our top tips for GDPR compliance.
To discuss any matters relating to the above or any other commercial or corporate requirements, please contact a member of our Corporate and Commercial Team