The ICO has issued a statement in response to the UK Government’s announcement on the extended period for personal data flows between the UK and the European Union.
Treaty agreed with the EU will allow personal data to flow freely from the EU (and EEA) to the UK, until adequacy decisions have been adopted, for no more than six months.
Despite adequacy decisions that may be adopted, UK businesses that work with EU and EEA organisations and transfer personal data to them must put in place alternative transfer mechanisms to safeguard against any interruption to the free flow of EU to UK personal data.
What you (a company located in the UK or in a British overseas territory) should implement to allow the free flow of data?
1. Implement a data protection program and comply with the GDPR, regardless of Brexit;
2. Enhance your technical and organisational privacy standards;
3. Understand your international flow of personal data to identify where you receive data from the EEA, and where you transfer data to any other country;
4. Review your privacy policies, notices, procedures, internal documentation and contracts;
5. Train your employees on the changes in your documentation and on how Brexit will impact data transfers;
6. For most businesses, and particularly for small and medium enterprises, the use of standard contractual clauses is the most convenient solution to provide appropriate safeguards for restricted data transfers. However, each case is unique, and the solution should be tailored to your circumstances.