If your organisation shares personal data with businesses in the European Economic Area (EEA), you will need to take steps to ensure you continue to comply with data protection laws if the UK leaves the EU without a deal.
What is personal data? Personal data refers to any information that can be used to identify a living individual, including a customer’s name, their physical or IP address, or HR functions such as staff working hours and payroll details.
Although the UK’s own data protection standards would remain the same, how personal data is transferred from the EU/EEA to the UK would change. This could affect your organisation.
Therefore, if your organisation receives personal data from organisations in the EU you should consider, with your EEA partners, what changes you may need to make to ensure that data can continue to flow after the exit date. These changes will affect organisations both large and small.
Organisations should as a priority, review whether they would be affected. For those that would be, early action is advisable, given changes may take some time to implement.
Practical advice and support is available at ico.org.uk, including ‘Six Steps to Take’ to help you understand the implications and prepare.
Digital Minister Margot James has issued a reminder to SMEs to ensure that they’ve got plans in place so that they don’t lose access to vital data flows if the UK leaves the EU without a deal.
Recent research from YouGov has revealed that 26 per cent of SMEs currently receive and store personal data from people within the EEA. It also identified a number of sectors that said data from the EEA is essential to core or secondary functions within their business’ model.
The top sectors included IT and Telecoms (43 per cent), Manufacturing (26 per cent) and Finance and Accounting (25 per cent). Guidance already exists for SMEs to understand how they can prepare and the Information Commissioner’s Office (ICO) has produced a six step strategy for companies to follow.
Digital Minister Margot James said: “I know that personal data plays a hugely important role in day to day business. The current uncertainty around Brexit is of great concern and businesses need to take action to limit the risk of potential disruption if no deal were to happen. I would urge all companies to check the Information Commissioner’s Office guidance on their website, and make sure that they are as prepared as possible.”
The Government has already introduced robust new data laws through the 2018 Data Protection Act. This included giving people more power and control over their data and strengthening the powers of the ICO. In the event of a deal, through the Withdrawal Agreement, the government has made plans to secure what is known as a "data adequacy decision" from the EU. This will ensure UK and EU firms can carry on exchanging personal data like they do now.
For more information you can call the ICO helpline on 0303 123 1113.