ICO updated guidelines to prepare UK businesses for a no-deal scenario

Last September, the Information Commissioner’s Officer (“ICO”) published its updated guidelines to help UK businesses deal with a possible no-deal Brexit[1]. While Brexit date keeps being postponed, and the date of elections in the UK approaches, the ICO wants every UK data controller and processor to prepare immediately for a possible no-deal Brexit in order to avoid endangering the data flow between the two banks of the English Channel.

Accordingly, even though the new guidelines do not depart from previous detailed recommendations published by the ICO to help UK businesses navigate a no-deal Brexit[2], they simplify these instructions to address small and medium enterprises’ needs. Moreover, the UK Information Commissioner Elizabeth Denham complemented the guidelines with a blog post aimed at helping small and medium enterprises to busts some myths about Brexit[3].

As a general legal framework, the data protection rules would not change dramatically in the event of a no-deal Brexit, because the United Kingdom is planning to incorporate GDPR in the Data Protection Act 2018 (“UK GDPR”). The main risks of a no-deal Brexit would instead involve the flows of personal data between the European Economic Area (“EEA”) and the UK, which would be respectively considered third countries by their data protection legislations.  

As to the data transfers from the EEA to the UK, it is unlikely that the EU Commission would consider the UK as an adequate country according to article 45 GDPR. Notwithstanding the two data protection legislations would mainly be equal, as experienced by US companies with the Schrems decision, in its adequacy decision the EU Commission shall analyze the overall level of protection of human rights and fundamental freedoms. In this respect, some national security rules adopted by the UK would likely hinder that adequacy process. Therefore, as suggested by the ICO, EEA’s businesses are expected to resort to the adoption of Standard Contractual Clauses, which implementation would require the cooperation of UK businesses.

On the contrary, the data transfers from the UK to the EEA would be unaffected by a no-deal Brexit because the EEA countries would be considered as adequate by the UK.

Ultimately, UK businesses should carefully consider the instances in which they operate directly in the EEA, which, according to the broad territorial scope of the GDPR, includes the following activities: operate in the EEA through an establishment (regardless of where the processing takes place) and offer goods or services, or monitor the behavior of data subjects, in the EEA.

In these cases, UK businesses would be subject to a double regulation because both the GDPR and the UK GDPR would apply. While these regulations would impose very similar obligations, UK businesses should still carefully consider every additional obligation. For instance, they could be required to appoint an EU representative according to article 27 GDPR, which would act as a local representative with individuals and data protection authorities in the EEA.

In addition, UK businesses would need to review their information notices and establish a relationship with an EEA-based data protection authority, in addition to the ICO.

If you want to learn more about the possible legal consequences of a no-deal Brexit, see also the article “Deal or not Deal; that is the question”. Le principali conseguenze giuridiche di una no-deal Brexit sulla protezione dei dati personali e i suoi impatti operative, written by Gaetano Arnò[4].