Protecting data after Brexit, deal or no deal

Whether the UK leaves the EU with or without a deal, SMEs need to be aware of their data protection responsibilities or risk falling foul of the GDPR, says LSCA Business Board’s vice chair Anzo Francis.

September 2019

All the indications are that the UK will leave the EU on 31 October 2019, and possibly crash out with no deal. How should small and medium enterprises (SMEs) prepare for this, in relation to data protection?

At the point of a no deal Brexit, there will be no immediate change to UK data protection rules. The General Data Protection Regulation (GDPR) would be enacted into UK law and the Information Commissioner would remain the independent supervisory authority for UK data protection.

Businesses will be able to send personal data from the UK to the European Economic Area (EEA) and third countries deemed adequate by the EU at the point of Brexit. However, with a no deal Brexit, there will be a change to the way data is shared from the EEA to the UK under European regulations.

Personal data refers to any information that can be used to identify a living individual, including name, physical address, email address, payroll and passport data. There will be many instances where a UK company receives personal information from a European company, in order to provide goods or services, and vice versa.

SMEs should review data flows into the UK from the EEA and consider the data protection safeguards they should put in place to comply with European regulations. SMEs should also review data flows from the UK into the EEA and document the new basis for transferring personal information under UK data transfer rules.

Businesses which have European operations, should review their structure, data processing operations and data flows to ensure compliance with relevant European regulations. Data Protection personnel should review privacy information, notices and internal documentation and identify which details and references will need updating when Brexit occurs.

Businesses should ensure that key managers are aware of these issues, keep abreast of the latest guidance from the UK government and the Information Commissioner’s Office (ICO) and raise awareness among all staff across the organisation. A focus on compliance should help businesses to safeguard personal data during the Brexit process and beyond, deal or no deal.

Anzo Francis is vice chair of the LSCA’s Business Board and Director of Finance and Corporate Services at Raleigh International

Liked this? Read these:

• Economy can weather Brexit storm
• Navigating the fog of Brexit 
• AI will change professional landscape but not steal jobs