This page contains a Flash digital edition of a book.
The Analysis Editor’s Letter


How will personal data continue to flow after Brexit?


Stephen Kiely Editor, CCRMagazine stephen@ccrmagazine.co.uk


Last month, information commissioner Elizabeth Denham set out, in a blog, a number of myths regarding how data would continue to flow after Brexit. At the moment, personal data flow is


unrestricted because the UK is an EU member state. However in the event of ‘no deal’, EU law will require additional measures to be put in place by UK firms when personal data is transferred from the European Economic Area (EEA) to the UK, in order to make them lawful. She set out these myths and realities of what


a no-deal Brexit would mean: l ‘Brexit will stop me from transferring personal information from the UK to the EU altogether’ – in a ‘no deal’ situation the UK government has already made clear its intention to enable data to flow from the UK to EEA countries without any additional measures. But transfers of personal data from the EEA to the UK will be affected. The key question, on the flow of personal


‘no deal’. It is the responsibility of every business to know where the personal data it processes is going, and that a proper legal basis for such transfers exists. l‘My business will be fine because there will be an EU Commission adequacy decision on exit day of 29 March 2019 to ensure the uninterrupted exchanges of personal data between the UK and the EU’ – ‘adequacy’ is the term given to countries outside the EU that have data-protection measures that are deemed essentially equivalent to European standards. Companies and organisations operating within countries with adequacy agreements enjoy an uninterrupted flow of personal data with the EU. But an assessment of adequacy can only take place once the UK has left the EU. These assessments and negotiations have


data, is whether your data is going from the UK to the EEA or exchanged both ways? If you are unsure, start by mapping your data flows and establish where the personal data you are responsible for is going. l ‘I have regular customers from Europe who come to my family’s hotel every year – I will need a special agreement set up to deal with their personal details’ – when a customer passes their own personal data to a company in the EEA or the UK, it is not considered to be a data transfer and can continue without additional measures. However, there may be other ways you transfer data, for example


At the moment, personal data flow is unrestricted because the UK is an EU member state. However in the event of ‘no deal’, EU law will require additional measures to be put in place by UK firms when personal data is transferred from the European Economic Area (EEA) to the UK


usually taken many months. Although it is the ambition of the UK and EU to eventually establish an adequacy agreement, it will not happen yet. Until an adequacy decision is in place, businesses will need a specific legal transfer arrangement in place for transfers of personal data from the EEA to the UK, such as standard contractual clauses. l ‘Our parent company in Europe keeps all our personal-data records centrally so I do not need to worry about sorting any new agreements’ – do not presume you are covered by the structure of your company. In the case of no deal, UK companies


a booking agency transferring a list of customers, in this case you may need additional measures. l ‘Brexit will only affect data transfers of UK companies actually exporting goods or services to the EU’ – personal data transfers are not about whether your business is exporting or importing goods. You need to assess whether your business involves transfers of


personal data, such as names, addresses, e-mails, and financial details to and from the EEA, and if this is going to be lawful in the case of


March 2019


transferring personal information to and from companies and organisations based in the EEA will be required by law to put additional measures in place. You will need to assess whether you need to take action. There are many mechanisms companies can use to legitimise the transfer of personal data with the EEA and standard contractual clauses are one of those. Ms Denham concludes with great common sense that “it is in


everyone’s interests that appropriate exchanges of personal data continue whatever the outcome of Brexit”, so now it is over to regulators and industry to ensure that happens, whatever the outcome. Enjoy the magazine!


www.CCRMagazine.com 3


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52