The Information Commissioner's Office (ICO) posted a myth-busting blog for small and medium businesses (SMBs) ahead of World Data Protection Day, with facts on how data will be transferred post-Brexit.
The Information Commissioner Elizabeth Denham explained how personal data will continue to flow between the UK and EU after Brexit.
What is the Information Commissioner’s Office (ICO)? General Data Protection Regulation (GDPR)
At the moment personal data flow is unrestricted because the UK is still an EU member state and if the proposed EU withdrawal agreement is approved, businesses can be assured that personal data will continue to flow until 2020 while a longer-term solution is put in place.
However, a 'no-deal' exit is still a possibility with the government yet to agree on a plan. This means that EU law will require additional measures to be put in place by UK companies when personal data is transferred from the EEA to the UK, in order to make them lawful.
"Like everyone in the UK right now, we are following the twists and turns of the Brexit negotiations," Denham wrote. "The sharing of customers, citizens and employees personal data between EU member states and the UK is vital for business supply chains to function and public authorities to deliver effective public services."
With less than two months to go until the UK leaves the EU, Denham's blog sets out to bust the misconceptions about what a 'no-deal' Brexit would mean for UK companies transferring personal data to and from the EEA.
According to Denham, in the event of a 'no deal' situation, despite the UK government already making it clear its intention to enable data to flow from the UK to EEA countries without additional measures, transfers of personal data from the EEA to the UK will be affected.
"The key question around the flow of personal data, is whether your data is going from the UK to the EEA or exchanged both ways?" she wrote. "If you are unsure, start by mapping your data flows and establish where the personal data you are responsible for is going. All businesses operating in the EEA should consider whether they need to take action now."
Denham also explained that it is the responsibility of every business to know where the personal data it processes is going and that a proper legal basis for such transfers exists.
"Personal data transfers are not about whether your business is exporting or importing goods," she wrote. "You need to assess whether your business involves transfers of personal data, such as names, addresses, emails and financial details to and from the EEA and if this is going to be lawful in the case of 'no-deal'."
"Don't presume you are covered by the structure of your company," Denham also warned. "In the case of 'no-deal', UK companies transferring personal information to and from companies and organisations based in the EEA will be required by law to put additional measures in place. You will need to assess whether you need to take action."
-
Third time lucky? Microsoft finally begins roll-out of controversial Recall featureNews The Windows Recall feature has been plagued by setbacks and backlash from security professionals
-
The UK government wants quantum technology out of the lab and in the hands of enterprisesNews The UK government has unveiled plans to invest £121 million in quantum computing projects in an effort to drive real-world applications and adoption rates.
-
New Zealand privacy commissioner tipped to become next ICO headNews John Edwards is said to be an 'anti-Facebook' regulator who would fit well in the UK's plans to clamp down on big tech
-
What is a freedom of information (FOI) request?In-depth We look at the mechanism citizens can use to hold public bodies to account
-
ICO hints at Facebook hypocrisy over data protection goalsNews Elizabeth Denham asks Facebook to drop appeal after CEO's call for greater internet regulation
-
ICO to investigate Google over GDPR violationsNews UK Watchdog to liaise with other European regulators over 'forced consent' push by the tech giant
-
Leave.EU faces big fine over data law breachesNews Information commissioner reveals Leave.EU was fined a total of £75,000 for “serious breaches”
-
ICO website knocked offline for more than 24 hoursNews The outage was caused by an “unprecedented electrical surge” that damaged its host’s circuits
-
Five NHS bodies breach Data Protection ActNews The ICO finds five NHS bodies recently breached the Data Protection Act, as the health service is called on to up its security game.
-
ICO called on to punish Milton Keynes CouncilNews The local authority posts citizens' addresses and phone numbers online by mistake.
