Data flow and GDPR are two of the less publicised areas which will be affected by Brexit. Every recruitment agency needs to understand the implications as the transition period ends on December 31, 2020.
Any company which does business with mainland Europe relies upon a smooth data flow across borders. Even though the UK Government has stated that it will allow outgoing data to continue without additional measures, the current standards will be changing.
The effects of Brexit on cloud-based services and outsourced functions are numerous, so we have tried to cover the main issues below.
What happens to GDPR?
The UK has made plans to consolidate current EU and UK GDPR legislation into a new set of UK GDPR guidelines. This sounds simple, but defining who is responsible for the data could be tricky, especially if the UK leaves the transition period without an adequacy arrangement.
From January 1, 2021, the UK will become a ‘third country’. Under GDPR, personal data must not be sent outside the EU unless systems are in place to guarantee equal rights and protections. This is not a new arrangement as 12 jurisdictions (including the Channel Islands), have adequacy decisions.
Potential bumps in the road include the UK’s National Data Strategy which suggests divergence from EU standards to establish “sovereign controls” in data protection. How the UK shares data with the USA also concerns the EU, as it could prove to be a back door for national security agencies.
Will Brexit affect data sent from the EU to the UK?
If Brexit negotiators cannot agree on an adequacy decision, there cannot be free data flow from the EU into the UK without an approved system.
Experts predict that a solution could be agreeing standard contractual clauses (SCCs). However, these may not cover every data flow situation and will need to be drawn up before the end of the year.
Alignment between the UK and the EU is the major stumbling block and will need to be resolved to allow intelligence and law enforcement agencies to access each other’s data. There is still much work to be done before the end of the year.
What happens to data leaving the UK?
EU states will technically become third countries as the UK Government transitionally recognise all European institutions and Gibraltar as providing an adequate level of protection for personal data, allowing information to flow freely from the UK.
The UK has signed agreements with 12 of the 13 EU-adequate countries to preserve the free flow of personal data from them to the UK. This includes countries such as Argentina, Canada, Israel, Japan, New Zealand, Switzerland and Uruguay.
What about data sent to non-EU nations?
Existing EU adequacy decisions will be maintained on a transitional basis and standard contractual clauses (SCCs) issued by the EU will continue to be enforced on international data transfers from the UK.
Going forward, UK’s Information Commissioner’s Office (ICO) will have the authority to issue new SCCs after the transition period ends.
Data transfers from the UK to the USA remain a subject of debate and will depend upon the two countries signing a separate agreement.
What can you do?
With so many doubts surrounding future data flow arrangements between the EU and UK, businesses will need to consider appointing a representative in third-party countries. Current contracts will also need to be reviewed, adjusted or replaced.
If you have any questions surrounding data flow in a post-Brexit Britain, the UHY Hacker Young Recruitment Business team are always on hand. We are specialist accountants who offer recruitment and employment businesses dedicated expertise in areas such as accounting, finance, taxation and business growth and work alongside other recruitment specialists to support all aspect of running a recruitment business.