Update from the Information Commissioner's Office
18 October 2019
There’s one topic front and centre of this month’s newsletter: how your organisation can prepare for the UK leaving the European Union.
It’s a crucial area.
If your organisation sends or receives personal information to or from countries in the EU, you need to act now to ensure that data flow can lawfully continue.
That’s why the office has produced a range of advice and guidance to help organisations.
At the moment personal data flow is unrestricted because the UK is an EU member state. But if the UK leaves the European Union with no deal, that will change, and additional measures will be needed to make sure your business complies with the law.
It’s important you make sure your organisation is properly prepared for all exit scenarios, whether you’re a sole trader or small business or a large multi-national.
The guidance will help you work out what you need to do now, and then let you get back to your main focus: running your business.
Nicky Morgan, the Secretary of State responsible for data protection said:
“The Government has launched the UK’s biggest ever public information campaign to help businesses get ready for Brexit. A key part of that is making sure businesses can still lawfully send and receive data like customer and employee details. The ICO’s guidance sets out how you can prepare your business, and is essential reading.”
As you’d expect, the Information Commissioner's Office has been working closely with the Government on such an important issue, particularly making sure smaller businesses are aware of the importance of making preparations.
There’s dedicated guidance for smaller organisations on the Information Commissioner website. Even if you think your organisation doesn’t transfer data internationally, they urge you to read what they've produced, and decide whether you need to do anything now to ensure you remain compliant with the law.
New guidance for small organisations
The flow of data between EU or EEA member states and the UK is vital for business. Businesses have to prepare for all Brexit scenarios.
You may think your organisation won't be affected – but you must be sure.
The new small business guidance will help you determine if your organisation’s data will be affected by Brexit and what steps you need to take to keep your data flowing.
Guidance for small organisations that receive data from Europe
If your UK-based small or medium sized organisation (SMO) receives data from countries in the EEA, the new guidance
will help you take steps to make sure data can continue to flow after Brexit.
Build a contract now to keep data flowing
In most cases, to keep data flowing into the UK, in the event of a no deal Brexit, UK based organisations will need a contract in place between them and the EEA-based sender.
The best way to do this is to put a contract in place now on EU approved terms, known as Standard Contractual Clauses (SCCs).
We have created two interactive tools to help you build your own SCCs in about 10 minutes. The two tools are for:
• Controller to controller transfers; and
• Controller to processor transfers (where you are the data processor).
Don’t know if you need an SCC? Find out easily now
The ‘keep data flowing from the EEA to UK’ interactive tool, for SMOs based in the UK, will help you decide whether your organisation needs SCCs to help you maintain the flow of data, and which SCC builder you need to use.
Guidance for large organisations that send or receive data to Europe
Guidance for small organisations with a European presence or customers
If your SMO operates in the EEA, you will need to comply with both the UK and EU data protection regulations after Brexit. The new guidance will help you take steps now to do so.
Guidance for large organisations with a European presence or customers
The Information Commissioner's Office have more detailed guidance for large organisations who are offering goods or services to individuals in the EEA or who are monitoring the behaviour of individuals in the EEA.
It also includes information for organisations carrying out cross-border processing of personal data in the EEA.
Hear from the ICO more regularly
To stay in the know, you can sign up to receive more regular emails
from the ICO and be the first to hear of any updates to all our guidance, including our Brexit guidance.