Companies need to consider alternatives to ensure compliance with GDPR.
A no-deal Brexit could impact the flow of personal and business information between the UK and the European Economic Area (EEA), Deloitte has warned, urging businesses to get ready for a new burden.
“Many companies have spent months, and in some cases years, preparing for the introduction of GDPR in May last year and they have invested heavily in terms of resources to work towards compliance since then,” said Colm McDonnell, partner at Deloitte’s risk advisory group.
‘A well-prepared action plan aligned with ongoing initiatives can help to ensure a smooth transition and continuation of a free flow of personal data between the EEA and the UK’
– COLM MCDONNELL
“The impact of a no-deal Brexit will mean that those organisations may now face additional challenges to ensure compliance post-Brexit.”
McDonnell pointed out that every organisation that processes personal data, transfers such data or has a group entity in the UK will need to put in place measures to ensure compliance.
The Information Commissioner’s Office in the UK has stated that the government intends to enable data flow from the UK to the EEA without any additional measures, but transfers from the EEA to the UK will be impacted.
Action plan recommended
McDonnell said that many EEA-based multinational or large organisations that process personal data have some form of processing agreement with UK vendors or transfer personal data between group entities. From a sectoral point of view, banking and insurance companies that have data processors or group entities based in the UK will have to take measures.
Data protection options available in the aftermath of a no-deal Brexit include:
- The European Commission (EC) determining whether a country outside the EEA offers adequate levels of protection
- Binding corporate rules, which are internal rules for data transfers within multinational companies that have to be reviewed by relevant data protection authorities
- Model contract clauses, where the EC decides that standard contractual clauses offer sufficient safeguards for personal data to be transferred internationally. The downside is that these could have large administrative burdens and financial implications to execute
McDonnell urged companies to come up with a well-prepared action plan that may take these options into account.
He recommended that potentially affected organisations should maintain compliance with GDPR in terms of up-to-date records. He said they should conduct a review of all data protection notices and prepare blanket statements such as ‘No personal data will be transferred out of the EU/EEA’ as well as derogations that may apply under Article 49 of the GDPR.
He also recommended that firms update due diligence procedures to allow for data processors to be situated in the UK, and review all binding corporate rules and model contract clauses.
“With many organisations still slowly working towards achieving full demonstrable compliance with GDPR, a no-deal Brexit poses additional challenges,” McDonnell concluded.
“However, a well-prepared action plan aligned with ongoing initiatives can help to ensure a smooth transition and continuation of a free flow of personal data between the EEA and the UK.”