DATA PROTECTION COMMISSIONER Helen Dixon has said that if Irish businesses fail to put appropriate safeguards in place surrounding the flow of data to UK companies after Brexit it will be “at their peril”.
Dixon was speaking at an event on Brexit and data protection held by the DCU Brexit Institute yesterday.
“While I realise organisations have a huge amount to do to get ready for Brexit and particularly a no deal Brexit. I think this is an area they will ignore at their peril,” she told the room.
She said that for those who do not have these safeguards in place, continue to transfer personal data to a UK business and incur a data breach, they will face fines of up to €20 million or 4% of their annual turnover under GDPR rules.
Speaking about the different scenarios that may happen in the event of both the UK leaving the EU with and without a deal, Dixon said there are certain safeguards known as standard data protection clauses that need to be put in place, regardless of the Brexit outcome, by businesses.
Dixon explained that the clauses are approved by the EU and incorporated in private contracts between an data exporter and importer.
“For third countries (which the UK will become if it leave the EU without a deal) like the US, standard clauses are the most frequently and commonly used legal mechanism to affect lawful transfers,” she explained.
Dixon said these contracts “in theory” should already be in place by organisations, under section 28 of GDPR rules regardless of jurisdiction.
She used the example of a business that has an agreement in place with an outside company to administer payroll services. In this circumstance there would be a contract in place that included a data transfer clause whether the payroll company is based in the UK or in Ireland.
Dixon outlined that while many multinational companies have the correct contractual obligations in place this doesn’t seem to be the cases with smaller businesses.
“When we have gone out as an office, and we have done a lot of it over the last twelve months, to give talks on Brexit and the implications, we often meet a lot of blank faces when we mention you just have to insert the clauses into your existing article 28 contracts, so it may beg the question of what compliance levels there are with those currently” she said.