Are you an Irish company that transfers personal data to the UK ?
The proposed withdrawal agreement would have preserved the status quo in data protection terms, at least until the end of the transition period in December 2020. However, if the U.K. leaves the EU without a deal, the implications for international data flows and privacy compliance generally will be severe. Without additional actions, UK based processing of EU personal data will be illegal.
How do you ascertain ways you might be transferring data to a UK-based company? Ask yourself the following questions:
- Are you outsourcing your HR, IT or Payroll function to a UK based organisation?
- Are you using a UK based marketing company to send marketing communications to your customer database?
- Is your pension scheme based in the UK?
- Are you storing data in the UK on a server or in the cloud?
In a ‘No Deal’ Brexit scenario you will need to put extra measures in place to legally transfer this data
EU based data controllers are not permitted to transfer personal data outside the EU/EEA unless those standards are maintained.
In a “no-deal” Brexit scenario, the UK will no longer be a member of the EU; instead, it will become a ‘Third Country’. It will have to look for an Adequacy Ruling like Japan in time. This means that transfer of personal data from Ireland to the UK will be treated in the same way as transfers of personal data to countries like Australia or India etc.
What this means in practice is that, in order to comply with GDPR rules, an Irish company intending to transfer personal data to the UK will need to put in place specific safeguards to protect the data in the context of its transfer and subsequent processing.
This can be done in a number of different ways, depending on the circumstances in which the data is to be transferred. One such way is the use of “Standard Contractual Clauses” or “SCCs” or ”Model Clause Agreements“ and this is likely to be relevant to most Irish businesses that transfer personal data to the UK.
The Model Clause Agreements consist of standard or template sets of contractual terms and conditions that the Irish-based controller and the UK-based recipient both sign up to. The basic idea is that each of the parties to the contract gives contractually binding commitments to protect personal data in the context of its transfer from the EU/EEA to the Third Country. Importantly, the data subject is also given certain specific rights under the SCCs even though he or she is not party to the relevant contract.
We can help you prepare and give you piece of mind. You can email gail@chalmindataprivacy.ie
The Data Protection Commissions website also has some very good additional advice on the matter https://www.dataprotection.ie/en/organisations/international-transfers/guidance-tranfers-personal-data-ireland-uk-event-no-deal