Guidance on what should happen with transfers of personal data to and from the United Kingdom, including Northern Ireland, following a possible ‘no deal’ Brexit has been published by the Irish Data Protection Commission (DPC).
The organisation warned that Irish and Irish-based companies that manage private personal data will be required to ensure data being transferred to the UK is done so lawfully following a possible March 29 date the UK leaving the European Union. Failure to complete this preparation could result in the standard GDPR fines being applied, 4% of annual global revenue or €20m – whichever figure is higher. From that date, in the event of no exit deal being agreed, the UK must be treated as any other non-EU State and would not enjoy the existing free movement of data that it currently does.
Speaking to the SC Media recently Joseph Carson, chief security scientist and advisory CISO at Thycotic, compared the process to the months leading up to the go live date for GDPR on May 25 2018. He said: “However, this time due to the poor decision making within the UK parliament, organisations now have less than three months to prepare a digital data border. Organisations that have done a good job of preparing for EU GDPR, will have made it easier for themselves as this would have surely helped understand what data they store and how it is processed so it might make the short turnaround much easier.”
Speaking to the same publication, Patrick Grillo, senior director of solutions marketing at Fortinet, said: “With a structured Brexit (read deal in hand) it is assumed that there would be a reasonable transition period allowing organisations to smoothly manage their operations to other countries and/or permitting the UK to become an authorised third-party country. Without that transition period, however, the potential for significant disruption is real. With the Irish border issue being such a key point of the Brexit negotiations, it is curious that this aspect of a no-deal Brexit has not been talked about more often.”
Should a ‘no deal Brexit occur then it will be of paramount importance for all companies, including those primarily based in other parts of the world, transferring data from EU based offices to the UK to ensure that they are completing this in a completely legal manner in order to avoid all possible penalties.