No-deal Brexit - how to keep your processing legal

If you move personal information between the UK and other EU countries then a no-deal Brexit will have immediate implications for the legality of this processing. Without preparation a legitimate, or malicious challenge from a data subject could generate avoidable hassle and costs.

In a no-deal Brexit the UK will, overnight, move from being a member of the EU to a ‘Third Country’ from a GDPR perspective. As a data controller you can’t simply transfer personal information to third country without consideration. To do so without the correct contract terms in place would be illegal.

The good news is that in most scenarios the preparation will enable processing activity to continue unchanged. The main action that is required is to ensure that you have the correct terms in a written contract that covers the EU-UK data transfer.

These terms are referred to as ‘model terms’ or SCC (Standard Contract Clauses). There are a few sets of them to cover each permutation to EU <-> UK and controller <-> processor.

You can find good information from the ICO here

There’s a tool to help you work out which Standard Contract Terms are relevant to you here. It also links to a couple of example contracts that you can use.

The contract terms will not on their own cover every scenario and there are some other jobs that need doing. The guide from the ICO highlights some of the things you should be aware of. For example you’ll need to ensure that you have updated your privacy notices to reference the international transfer, and you will also need to check that any contract you already have with third country processors (e.g. in the US) correctly cover data that is transferred from the UK and not only that from the EU.

If you want help to ensure ongoing compliance or your team would benefit from some support through the process then drop me an email at oliver@oliverwestmancott.com or call on 07960 515576.