Businesses must keep a close eye on data protection Brexit looms
Small businesses in the East that rely on free-flow of data from Europe will need to review their GDPR policies before the new year, a solicitor has warned.
Matthew Cole, a partner at Prettys, said that even if the UK manages to secure a trade deal as it fully withdraws from the European Union, transfer of personal data from the EU to the UK could become much more difficult.
This would have a huge impact on small or medium sized business while large firms and multi-nationals are more likely to have established data transfer mechanisms already in place to keep them protected.
When the transition period ends, the UK will become what is known as a third county, a state that falls outside the European Economic Area (EEA) – the EU plus Iceland, Norway and Liechtenstein.
GDPR rules restrict the transfer of personal information to third countries from the EEA unless that data is protected in another way or exceptions apply.
Third countries can send data to the EEA uninterrupted, as long as they are compliant with GDPR.
Mr Cole said: “So much is yet to be decided in the details of the full withdrawal and businesses need to keep a close eye on any changes.
“Even if the UK and EU come to an agreement, businesses may still face difficulties accessing data.
“The most important thing for firms to do now is to comply with current GDPR rules as these will remain in force even after the transition period ends.
“Organisations that receive personal data from the EU should look at putting in place Standard Contractual Clauses (SCCs) to help ensure they comply with EU rules and to help navigate this time of uncertainty.”
An SCC is a contract between a company inside the EEA and a company outside, acting as a safeguard by committing both to transferring data using the EU-approved terms.
Mr Cole said companies could also consider whether they can achieve their aims without sending personal data at all.
If the information is anonymous and does not identify the individuals involved, it does not count as personal data and so can be transferred to countries outside the EEA.
For more information on how to make sure your company follows data protection rules visit https://ico.org.uk/for-organisations/data-protection-at-the-end-of-the-transition-period/