Latest ICO Brexit Warnings: Need to Setup SCCs with European Partners
The ICO (Information Commissioners Office), who are the UK Government's data protection authority and GDPR regulator, has now issued guidance and warnings of how a Brexit no-deal would affect data processing across European boundaries.
A no deal Brexit will change how EU law is applied to UK companies processing data.
If a company is transferring data from a UK to EU company, then there will be no change. However, IF the flow returns the other way, from an EU company to a UK one (for example if using foreign EU servers to conduct email sends), then you would need to take extra steps. (If you are with a UK email provider like 247EmailData, who use UK hosted servers, then no action is needed)
Below is an information video produced by the ICO.
As GDPR, NIS, PECR already have been placed into UK law they will be retained even after a no deal Brexit. eIDAS has yet to be placed in law however the government expects this to also be retained prior to the Brexit deadline.
The ICO has specific guidance on what you should need to do with EU partners. Specifically requesting the use of Standard Contractual Clauses (SCCs) to ensure your data can be kept flowing.
The SCCs will outline data protection requirements and responsibilities of a company with reference to GDPR legislation within the EU. It would setup contractual terms that ensure both companies process data in a legal manner.
Up until Oct 31st data flow is unrestricted as the UK is a still a full EU member. However, this change could take effect overnight, and it is up to UK companies to then ensure they comply.
Elizabeth Denham (The Information Commissioner) commented "It's crucial that organisations make sure they properly prepare for all scenarios." The ICO is advising businesses to get themselves up to date with the ICO's published guidelines. Again commenting "Even if you think your organisation doesn't transfer data internationally, I'd urge you to read what we've produced, and assess whether you need to act"
If as an organisation you have satellite offices within the European Economic Area (EEA). You will need to comply with the both EU and UK law. If your organisation has this structure you should also appoint a specific EEA representative. If you also happen to have a current Data Protection Officer the EEA representative will be required to be a different person.
The overall guidance appears to be for organisations to work with all existing GDPR guidelines, this will ensure you stay compliant with EU and UK law.