Government advice for companies who may be storing personal data in the UK or in a UK based cloud service
1 April 2019
The decision of the UK to leave the EU means change. Addressing the challenges of the UK leaving the EU, particularly without any deal, requires response at EU level, by Government, by citizens and responses by businesses and affected sectors.
As part of our preparedness and contingency planning, the Irish Government identified that those companies who may be storing personal data (such as client mailing lists or HR information) in the UK or in a UK based cloud service may be impacted by Brexit.
The following is the latest Government advice that we can give you to help minimise any disruption to your business if you operate in this sector.
Latest advice
The General Data Protection Regulation (GDPR) is an EU-wide standard for protecting people’s data. It sets out the high standards of data protection and obligations that all businesses must meet when processing the personal data of customers and employees.
With the UK due to leave the EU, the Irish Government is working with our EU partners to ensure sufficient protection is in place for any such data being transferred post-Brexit.
If your business involves the transfer of personal data to or from the UK, you need to ensure that sufficient protections are in place so that you can continue to transfer personal data post-Brexit.
This includes transfers such as mailing lists if you have UK based clients, or employee data if you use a UK-based payroll firm etc. It also includes data storage and website hosting where this involves personal data. Data protection and commercial transfers of personal data are regulated at the EU level and there is a range of measures that enable such transfers to and from third countries.
All companies are advised to review their existing processes and contracts to assess whether they involve data transfers to the UK and to ensure compliance with data protection regulations.
The Data Protection Commission has issued guidance on what measures would apply for a majority of companies in the event of a no deal Brexit and sets out detailed advice on how companies should implement these. For further detail and guidance please visit the Data Protection Commission website.
More information on gov.ie/brexit
Further information is available from www.gov.ie/brexit, which is regularly updated with the latest developments so do check back regularly. This Government website provides practical advice to help businesses and citizens around the country to prepare for Brexit.
Notes to editors
Government contingency work in this area
The Irish Government, working with the EU, has a comprehensive Contingency Action Plan to implement measures to mitigate the impact of Brexit. Regarding this area, here are some of the measures that have recently been undertaken:
- The Data Protection Commission has published guidance on the transfer of personal data to and from the UK in the event of a ‘no deal’ Brexit and a sample set of Standard Contractual Clauses.
- The Data Protection Commission has engaged extensively with stakeholders, directly and at events, to assist companies and public sector bodies make the necessary arrangements to prepare in advance of Brexit.
- Administrative arrangements under article 46(3)(b) GDPR have been authorised for a number of public sector bodies to ensure data sharing will continue with the UK post-Brexit.
- The Data Protection Commission is engaging with a number of multinational companies that currently have the Information Commissioner’s Office (ICO) as their Lead Authority for Binding Corporate Rules’ as they make arrangements for Ireland to become Lead Authority for BCRs.