Out-Law / Your Daily Need-To-Know

Brexit will not invalidate intra-company data transfer arrangements, says UK watchdog

22 Nov 2017, 10:53 am

Arrangements for intra-company data transfers endorsed by the Information Commissioner's Office (ICO) will not be invalidated when the UK exits from the EU, the watchdog has said.

James Dipple-Johnstone, deputy commissioner for operations at the ICO, clarified the issue in a new blog on 'binding corporate rules' (BCRs).

BCRs are contractual provisions businesses can agree with data protection authorities that commit those businesses to handling and protecting personal data in a way which accords with the requirements of EU data protection law when transferring that data to other companies in their group in non-EEA locations.

BCRs agreed with the ICO prior to Brexit will continue to apply after the UK leaves the EU in March 2019, Dipple-Johnstone said.

"It’s important to note that no BCR authorisation will be cancelled because of Brexit," Dipple-Johnstone said. "The ICO will continue to work together with other European data protection authorities for international transfers to be achieved and to ensure that the ICO’s leading expertise in BCR is continually available to the international controller and processor community."

The ICO processes about a quarter of all BCR applications filed before data protection authorities in the EU. Dipple-Johnstone said about 40 applications are currently being processed by the authority.

Businesses should ensure that the BCRs they commit to provide for compliance under new EU data protection laws, Dipple-Johnstone said. The General Data Protection Regulation (GDPR) will apply from 25 May 2018.

According to Dipple-Johnstone, new guidance on BCRs under the GDPR should be published by the Article 29 Working Party, a committee of data protection authorities from across the EU, before the end of 2017.

"We are asking any company planning to apply to the ICO for BCRs to ensure their application aligns with the GDPR," Dipple-Johnstone said. "This is so that, once they are processed, they will comply with the new rules when they come in from May 2018. This is in line with the approach taken by the other EU data protection authorities. GDPR-compliant applications submitted from now will receive approval after May 2018, once the new legislation is in effect."

"Organisations that have previously had BCRs approved by the ICO will need to ensure that they (and all their data processing) are GDPR compliant by 25 May 2018, as there is a requirement that BCRs take into account modifications of the regulatory environment. Companies can inform us about the changes made to make sure their BCRs comply with GDPR when they next contact us with their annual update. We will be writing about this to all individual approved BCR organisations nearer the time," he said.