After the UK Parliament rejected the Brexit Agreement terms proposed by the Prime Minister, companies which transfer personal data to this country in some way should pay attention.
The Lithuanian State Data Protection Inspectorate warns that if the United Kingdom leaves the European Union without signing a Brexit agreement, legal entities should prepare procedures aimed to protect the personal data they have access to, all to ensure the legality of transferring personal data to the UK. If such procedures already exist, legal entities should make sure that they will remain valid.
If this happens, the United Kingdom will no longer be a member of the European Economic Area, which will mean that it is going to be considered as a “third party” when data transferring is concerned. Legal entities should implement additional security measures to make sure that European data security standards are being followed after the data has been transferred.
For example, if the data from a Lithuanian company is being held on a server located in the United Kingdom, this company will have the duty to ensure that the personal data that finds its way onto this server located in the UK is sufficiently protected legally.
The General Data Protection Regulation outlines the legal ways to transfer data from an EU or EEA country to a third party. The European Commission has ruled some countries’ data protection systems to be sufficient. This means that data can be transferred to these countries from members of the EU and EEA without additional security measures. The UK will not be deemed sufficient by the end of March, 2019.
In this case, companies and organizations are advised to:
– Analyse and identify the type of personal data held, protected, or managed in the United Kingdom.
– Evaluate if present procedures ensure proper protection of personal data and if it will remain sufficient when/if the UK leaves the EU in March 2019.
– Reevaluate agreements with data controllers and processors and determine sufficient legal personal data protection, keeping in mind that the UK is considered to be a “third party”.
If you require additional information or a consultation on legal means of protecting data that’s being transferred to third parties, you are welcome to contact us.