Free flow personal data: If the UK leaves the EU without an agreement then the UK’s membership of the EU’s common data protection framework will end as of 23.00GMT on 31 October. As part of this the UK will become a third country and under the rules set out in GDPR companies which wish to transfer personal data to the UK from the EU will need to ensure ‘appropriate safeguards’ are put in place to provide assurances that these transfers meet data protection standards. As a result UK business which receive data from the EEA and wish to enter into business that requires exchanges of data with companies based in the EEA will need to review their business contracts to ensure that the recognised ‘appropriate safeguards’ are included. UK companies will therefore need support to check their existing contracts and review new contracts/ bids to ensure that these safeguards are included and that they are sufficiently robust to reassure potential business partners that they will not fall foul of data protection authorities. Failing to do so or increase the confidence in these measures from UK companies will mean that UK tech firms will be at a competitive disadvantage to companies based in the EEA.
Organisations within the EU have benefitted from the freedom to transfer personal information across the region for many decades under the EU’s common data protection framework. The free flow of data is a core part of the EU’s digital economy and the basis upon which many companies have built, shaped, grown and expanded their businesses, especially in the sphere of digital technologies.
Personal data is an integral part of any business. It can range from basic information such as individuals’ names and financial information to the more obscure such as habits and preferences. Most businesses will share and flow data across a number of jurisdictions to deliver services, engage partners and meet regulatory requirements. A no-deal Brexit will impact businesses to varying degrees as disruptions to information flows occur; this will be felt across supply chains, particularly where new technologies have increasingly global application.
The ability to rely on the EU data protection framework to facilitate data flows without impediments will cease to exist once the UK is no longer a part of the EU. It’s time to reconsider how organisations can use alternative mechanisms to sustain these cross border data flows. Currently, there are several available such as: adequacy decisions, Standard Contractual Clauses and Binding Corporate Rules. In order to leverage these mechanisms, organisations should have a good understanding of their key personal data flows, especially the prioritised ones (e.g. those that are business critical or relate to special category data) and the suitability of each mechanism is for their organisation.