Sunday 20 October 2019

'No-deal' Brexit may hit data transfers

A no-deal Brexit will
A no-deal Brexit will "impact the flow of information" between Irish and UK companies or divisions of each, senior Deloitte executives have said. (stock photo)

Murray Kerchavel

A no-deal Brexit will "impact the flow of information" between Irish and UK companies or divisions of each, senior Deloitte executives have said.

As negotiations between Westminster and Brussels come to a crunch, Irish organisations may be left in uncertainty as to the legal basis under which they can transfer data between jurisdictions.

"Many companies have spent months - and, in some cases, years - preparing for the introduction of GDPR in May last year. They have invested heavily in terms of resources to work towards compliance since then," said Colm McDonnell Deloitte's 'risk advisory' partner in Ireland.

"The impact of a no-deal Brexit will mean that those organisations may now face additional challenges to ensure compliance post-Brexit."

In Britain, the Information Commissioner's Office said the British government intends to allow "data flow" with no additional measures from the UK to the European Economic Area, comprising the EU, Iceland, Norway and Liechtenstein.

But experts are warning that transfers from the EEA to the UK may be affected.

Many EEA-based multinationals or large organisations that process personal data have some form of processing agreement with UK vendors, or transfer personal data between group entities.

Mr McDonnell said that banking and insurance companies which have data processors or group entities based in the UK will have to take measures.

"With many organisations still slowly working towards achieving full demonstrable compliance with GDPR, a no-deal Brexit poses additional challenges," he said.

There are a number of data-protection options available for organisations that find themselves in this position.

Binding corporate rules are internal rules for data transfers within multinational companies.

They allow multinational companies to transfer personal data internationally within the same corporate group to countries that do not provide an adequate level of protection.

But a straightforward application can take 12 months to complete.

Model contract clauses are also something that some big organisations will look to. But with the UK leaving the EU as an outcome of Brexit, further review and amendment of any data processing or transfer agreements between the EEA and the UK will be required.

Indo Business

Also in Business