As the clock ticks down to the Brexit date of 29 March 2019, the prospect of the UK leaving the European Union (EU) without a deal becomes ever greater and businesses should ensure they are prepared for it, says Jonathan Bamford, director of strategic policy at the Information Commissioner’s Office.

While the UK government intends to seek an adequacy decision for the country, which would recognise the UK’s data protection regime as essentially equivalent to those in the EU, this will not be in place before Brexit, the ICO has warned.

“Some people think there is going to be some magic adequacy finding by the EC around 29 March, but the EC and the UK government don’t think that is going to happen,” Bamford told a Westminster eForum event on GDPR practice in London. “So you need to think about what the situation will be if there isn’t an implementation period as the result of a withdrawal agreement – a no-deal Brexit – and you need to prepare for that.”

The government has made it clear that the General Data Protection Regulation (GDPR) will be absorbed into UK law at the point of exit, said Bamford, which means there will be no substantive change to the rules that most organisations need to follow. But he emphasised that organisations need to prepare for the possibility of a no-deal Brexit because there may be no adequacy agreement for some time.

“Organisations really need to have some thoughts on that and have some processes in place,” he said, not only for organisations that receive data from Europe, but also those that use cloud services based within the EU.

“Many organisations don’t realise that their cloud services are not based in the UK, and that could expose them to risk,” he added.

Barry Moult, director of BJM IG Privacy, said he thought he knew where all his organisation’s data was, but found out recently that a contractor had switched storage services to a cloud provider outside the EU without notifying him at the time.

“It turned out that they had being doing this for up to eight months before we happened to find out,” he told the Westminster eForum. “So I think there is a lot of work to be done around where data is stored and who has access to it.”

Linda NiChualladh, head of privacy, legal at Citi, said the banking group had renegotiated all of its data services supplier contracts for the GDPR in the light of Brexit. “But you can only do that if you know where your data is, which meant a huge emphasis on understanding data flow, which for most organisations has been a difficult challenge,” she said.

“For global organisations operating in multiple jurisdictions, you also have to have regard for how you transfer data within your organisation. It is not just about third-party data transfers, so you might have to look at whether your binding corporate rules stack up in the light of GDPR and Brexit.”

Bamford encouraged organisations to consult the dedicated data protection and Brexit page on the ICO website, which includes a Six steps to take guide, broader guidance on the effects of leaving the EU without a withdrawal agreement, and a general overview in the form of frequently asked questions.

According to ICO guidance, organisations that rely on transfers of personal data between the UK and the European Economic Area (EEA) will be affected by a no-deal Brexit.

Personal information has been able to flow freely between organisations in the UK and the EU without any specific measures because of the GDPR, but this two-way free flow of personal information will no longer be the case if the UK leaves the EU without a withdrawal agreement that specifically provides for the continued flow of personal data.

In this event, the government has already made clear its intention to permit data to flow from the UK to EEA countries. But transfers of personal information from the EEA to the UK will be affected, the ICO has warned. Potential solutions include putting standard contractual clauses (SCCs) in place with organisations outside the UK.

Bamford said: “Because SCCs may come to the fore, there is a guidance to help organisations decide if that will work for them and there is also a new SCC generator to help organisations formulate the text they need.”

Chris Combemale, chief executive of the DMA Group, pointed out that articles 40 and 41 of the GDPR indicate a clear role for industry codes of conduct, backed by a robust co-regulatory enforcement mechanism.

“The regulation states that associations or other bodies representing categories of controllers or processors should be encouraged to draw up codes of conduct within the limits of this regulation so as to facilitate the effective application of this regulation, taking into account the specific characteristics of the processing area in certain sectors and the specific needs of micro, small and medium enterprises,” he said.

“Of particular interest is article 40 clause three, which states that international data transfers to third countries could be carried out under an industry code if there was no adequacy agreement in place.

“So, in other words, for marketing, if we had a code approved by the EDPB [European Data Protection Board], you could carry out your marketing data transfers and processing under that code in the absence of an adequacy agreement and as an alternative to SCCs, which is particularly urgent in the light of the fact that we may be heading for a no-deal Brexit.

“Therefore, it is very unfortunate that the EDPB has not yet started taking applications for industry codes or set out clearly the process for doing so, despite the fact that the direct marketing industry and many others are ready to implement such codes.”

Combemale added that the GDPR covers every aspect of the economy, and “only the experts in a particular field really understand how it applies to their particular sector”.

Industry codes important Although there is no hope that there will be any approved industry codes by 29 March, Combemale said the codes are important in the longer term to take advantage of the fact that the GDPR allows for the possibility of co-regulation in the area of data protection which has not existed before. “The ICO has a team looking at industry codes and we believe there is going to be a role for industry in interpreting GDPR and some level of cases may be handled under those codes with industry enforcement mechanisms, leaving national data protection authorities free to deal with the most difficult and complex cases that create the most harm for the most people,” he said. Emily Sheen, manager, data protection strategy, legal and compliance services at PwC, said that although there was “no need to panic”, organisations do need to think about what a no-deal Brexit could mean for them in terms of their business data flows from the EU. “Hopefully, most organisations have an idea about the data processing and sharing that is being done within the EU, but they need to be thinking about SCCs as an alternative way of enabling those transfers,” she said, adding that although SCCs are “not that difficult” to implement, organisations should be preparing to do so if the need arises. “I would recommend that organisations should identify where their riskier or more important data transfers are, and have some plan in place to get those SCCs implemented in what may be a short space of time,” Sheen added.