Implement your fail-safe mechanism now!
A big week in politics lies ahead, the same can also be said for data protection. If a Brexit deal is secured then there will be no immediate change to data transfers between the EEA and UK. The rules will not change during the implementation period, so personal data can continue to be sent to and received from the EEA without any new requirements. (All indicators are that no Brexit deal will be secured this week).
There is a suggestion that there may even be a third vote on the Prime Minister’s proposed deal as late as two days before the withdrawal date of the 29 March 2019 (if, as expetced, the second deal is defeated in the House of Commons this week).
A no-deal Brexit would pose a number of challenges for data protection issues, particularly in relation to data transfers fro the EEA to the UK.
Any extension of Brexit is not guaranteed either, with a number of EEA countries reluctant to agree to an extension, and even if they do they may impose stringent conditions which may not be acceptable to a majority of the House of Commons.
Creating your fail-safe mechanism
So, if there is no deal EEA data flows into the UK will need to be subject to additional safeguards after 29 March 2019. All businesses transferring personal data from the EEA to the UK will have to ensure there is a compliant data-sharing/data-processing mechanism in place. Due to the uncertainty SME’s would be prudent to implement a ‘fail-safe’ mechanism by undertaking the following steps:
- Identify what processing activities involve personal data transfer to the UK.
- Determine the appropriate data-transfer instrument for your situation (We suggest the EU’s Standard Contractual Clauses are most appropriate for SME's and so have concentrated on these as opposed to Binding Corporate Rules).
- Implement the chosen instrument to be ready for 30 March 2019 (see below)
- Indicate in internal documentation that transfers will be made to the UK.
- Update your privacy notice accordingly to inform individuals.
Standard Contractual Clauses (SCC’s)
SCC’s are a standard set of contractual terms and conditions which the sender and receiver of the personal data both sign up to, and are recommended for SME’s in the UK. What’s more they are free and available online so SME’s can incorporate them straight into data sharing agreements and data processing agreements.
The SCC’s include contractual obligations which help protect personal data transferred when the UK leaves the EEA. SME’s should note that the SCC’s must be implemented in full. Companies cannot pick and choose which terms and conditions they would like to use and disregard the rest.
So get competitive advantage and incorporate the SCC’s today by downloading from the following link. Any problems do get in touch!
2001 Controller to controller - https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32001D0497&from=en
2004 Controller to controller - http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2004:385:0074:0084:EN:PDF
2010 Controller to Processor - http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2010:039:0005:0018:EN:PDF