Guidelines on what will happen with transfers of personal data to and from the United Kingdom, including Northern Ireland, following a possible ‘no deal’ Brexit has been released by the Irish Data Protection Commission (DPC).
The agency advised that Irish and Irish-based companies that work with private personal data will have to ensure data being sent to the UK is done so legally following a possible March 29 date for the UK departing the European Union. Failure to prepare for this eventuality could lead to the standard GDPR fines being applied, 4% of annual global revenue or €20m – whichever figure is higher. From that date, should no exit deal be agreed, the UK must be dealt with as any other non-EU State and would not enjoy the existing free movement of data that is currently in place.
Joseph Carson, chief security scientist and advisory CISO at Thycotic, speaking to the SC Media recently compared preparing for this to the months leading up to the go live date for GDPR on May 25 2018. He remarked: “However, this time due to the poor decision making within the UK parliament, organisations now have less than three months to prepare a digital data border. Organisations that have done a good job of preparing for EU GDPR, will have made it easier for themselves as this would have surely helped understand what data they store and how it is processed so it might make the short turnaround much easier.”
Patrick Grillo, senior director of solutions marketing at Fortinet speaking to the same publication said: “With a structured Brexit (read deal in hand) it is assumed that there would be a reasonable transition period allowing organisations to smoothly manage their operations to other countries and/or permitting the UK to become an authorised third-party country. Without that transition period, however, the potential for significant disruption is real. With the Irish border issue being such a key point of the Brexit negotiations, it is curious that this aspect of a no-deal Brexit has not been talked about more often.”
If the event of a ‘no deal Brexit occurring then it will be vital for all companies, including those primarily located in other parts of the world, sending data from EU based offices to the UK to ensure that they are completing this in a completely GDPR-compliant manner in order to avoid all possible penalties.