Like everyone in the UK right now, we are following the twists and turns of the Brexit negotiations. The sharing of customers’, citizens’ and employees’ personal data between EU member states and the UK is vital for business supply chains to function and public authorities to deliver effective public services.
At the moment personal data flow is unrestricted because the UK is an EU member state. If the proposed EU withdrawal agreement is approved, businesses can be assured that personal data will continue to flow until 2020 while a longer term solution can be put in place.
However in the event of ‘no deal’, EU law will require additional measures to be put in place by UK companies when personal data is transferred from the European Economic Area (EEA) to the UK, in order to make them lawful.
With just over a month to go until the UK leaves the EU, many businesses and organisations are concerned.
What a ‘no deal’ Brexit will mean for UK companies transferring personal data to and from the EEA?
In a ‘no deal’ situation the UK Government has already made clear its intention to enable data to flow from the UK to EEA countries without any additional measures. But transfers of personal data from the EEA to the UK will be affected. The key question around the flow of personal data is whether your data is going from the UK to the EEA or exchanged both ways? If you are unsure, start by mapping your data flows and establish where the personal data you are responsible for is going. All businesses operating in the EEA should consider whether they need to take action now.
When a customer passes their own personal data to a company in the EEA or the UK, it is not considered to be a data transfer and can continue without additional measures. However, there may be other ways you transfer data, for example a booking agency transferring a list of customers, in this case you may need additional measures.
Personal data transfers are not about whether your business is exporting or importing goods. You need to assess whether your business involves transfers of personal data, such as names, addresses, emails and financial details to and from the EEA and if this is going to be lawful in the case of ‘no deal’. It is the responsibility of every business to know where the personal data it processes is going, and that a proper legal basis for such transfers exists.
‘Adequacy’ is the term given to countries outside the EU that have data protection measures that are deemed essentially equivalent to European standards. Companies and organisations operating within countries with adequacy agreements enjoy uninterrupted flow of personal data with the EU. But an assessment of adequacy can only take place once the UK has left the EU. These assessments and negotiations have usually taken many months. Although it is the ambition of the UK and EU to eventually establish an adequacy agreement, it won’t happen yet. Until an adequacy decision is in place, businesses will need a specific legal transfer arrangement for transfers of personal data from the EEA to the UK, such as standard contractual clauses.
Don’t presume you are covered by the structure of your company. In the case of ‘no deal’, UK companies transferring personal information to and from companies and organisations based in the EEA will be required by law to put additional measures in place. You will need to assess whether you need to take action. There are many mechanisms companies can use to legitimise the transfer of personal data with the EEA and standard contractual clauses is one of those.
Penalties (December 2018 – February 2019)
Leave.EU Group Limited has been fined £45,000 for sending unsolicited direct marketing emails without the required consent.
Leave.EU Group Limited has been fined £15,000 for sending almost 300,000 unsolicited communications on a single day for which they did not have consent.
Eldon Insurance Services Limited (trading as GoSkippy Insurance) has been fined £60,000 for instigating the sending of unsolicited direct marketing emails without the required consent.
Alistar Green Legal Services Limited based in Liverpool has been fined £80,000 for making 213 nuisance calls to TPS subscribers between March and July 2017.
London-based firm Tax Returned Limited has been fined £200,000 by the Information Commissioner’s Office (ICO) for sending out millions of unsolicited marketing text messages.
Fines to organisations that have not paid the data protection fee
The ICO has issued the first fines for not paying the data protection fee to organisations across a range of sectors including business services, construction, finance, health and childcare. All organisations, companies and sole traders that process personal data must pay an annual fee to the ICO unless they are exempt. Fines for not paying can be up to a maximum of £4,350.
This follows regulations which came into force alongside the new Data Protection Act on 25 May 2018.
These first organisations have been fined for not renewing their fees following their expiry and more fines are set to follow. More than 900 notices of intent to fine have been issued by the ICO since September and more than 100 penalty notices are being issued in this first round.