Personal data flows and GDPR – techUK Brexit webinar

Last Friday techUK hosted the first in their series of Brexit webinars, aiming to prepare businesses for a no-deal Brexit. Here's what we found out.

techUK have previously identified 5 key worries for tech companies post-Brexit, and are addressing one per webinar during their current series. This first webinar addressed the issue of Data Flows post-Brexit.

techUK’s ‘5 areas of worry’ for SME tech businesses are:

1. Data Flows
2. Freedom of Movement and the immigration system post-Brexit
3. Importing and exporting goods and services
4. The mobility of workers between the UK and EEA
5. Regulations

What is personal data?

Personal data defines any possible information that can be used to identify an individual directly. Personal data is defined in the GDPR as:

“any information relating to an identified or identifiable natural person (‘data subject’)”

This includes everything from your name, gender and date of birth, to more sensitive information such as your racial or ethnic origin, political opinions, or genetic data.

Does GDPR continue to apply to the UK after Brexit?

GDPR covers the European Economic Area (EEA), so organisations operating in the UK that offer goods and services to the EU will still be regulated by the GDPR. However, businesses operating solely in the UK will be regulated by DPA 2018 instead.

If you are an organisation sending data to a business in the European Union, don’t worry, this transfer will still be covered by GDPR. However, if you are an organisation in the UK receiving data from the European Union, this data flow leaves the EEA, and as such is not covered by GDPR.

If you are an organisation sending data solely within the UK, this data flow will not be covered by the GDPR and will instead be covered by the UK DPA 2018 (Data Protection Act).

How will Brexit affect the personal data flow between EU and the UK?

Once the UK ceases to be a member state of the European Union, organisations’ rights to freely flow and share data between the UK and EU will be lost. Personal data flows will need to be facilitated through other methods.

These other methods are:

• Standard Contractual Clauses (SCCs)
  These are contractual terms adopted by the European Commission, providing sufficient safeguards for data protection. They are appropriate for SMEs, with smaller scale data processing activities, and are quite easy to implement, with templates readily available on the ICO website.
• Binding Corporate Rules
  These are policies for intra-group international data transfers. They are ideal for multinational companies with large volumes of complex data transfers, and are lengthy, high cost and require assessment by the ICO
• Adequacy
  The UK have put forward a case for Adequacy – this can take very long to implement however, so mechanisms will need to be adopted in the meantime. Adequacy is a decision granted by the EU commission for countries that have sufficient protections of privacy rights.

Recommendations…

With the 31^st of October 2019 speedily approaching, there are several recommended actions that need to be implemented. First of all, it is recommended that businesses understand their own data flows, and create data maps of all the flows into and out of the company. Data mapping allows you to see where information is being received or sent to, how the data is being processed and what type of data it is. Looking at your data map will help you determine which of the above actions you need to take – it may be that you don’t receive any data from anywhere in the EU!

techUK will be holding further webinars as part of this series, you can get more info and book here.

For any information regarding General Data Protection Regulation (GDPR) (2018) or the Data Protection Act 2018 in general, information can be found on the Information Commissioner’s Office (ICO) website.