---

Business warned on data transfers to Britain

Companies storing personal data (such as client mailing lists or HR information) in Britain, or in a British-based cloud service, have been warned that General Data Protection Regulation (GDPR) protections will not be in place post-Brexit.

This includes personal data transfers such as mailing lists to British-based clients, or employee data where a British-based payroll firm is used.

It also includes data storage and website hosting where this involves personal data. Data protection and commercial transfers of personal data are regulated at the EU level and there is a range of measures that enable such transfers to and from third countries.

All companies are advised to review their existing processes and contracts to assess whether they involve data transfers to Britain and to ensure compliance with data protection regulations.

The Data Protection Commission has issued guidance on what measures would apply in the event of a no-deal Brexit and sets out detailed advice.

Guidance 

It has also published guidance on the transfer of personal data to and from Britain in the event of a ‘no deal’ Brexit and a sample set of Standard Contractual Clauses.

• The Data Protection Commission has engaged extensively with stakeholders, directly and at events, to assist companies and public sector bodies make the necessary arrangements to prepare in advance of Brexit,

• Administrative arrangements under article 46(3)(b) GDPRhave been authorised for a number of public sector bodies to ensure data sharing will continue with Britain, post-Brexit,
• The Data Protection Commission is engaging with a number of multinational companies that currently have the Information Commissioner’s Office (ICO) as their lead authority for Binding Corporate Rules’ (BCR) as they make arrangements for Ireland to become lead authority for BCRs.