It is with a degree of embarrassment I admit to publishing, about a year ago, a calendar on the countdown to Brexit. The idea was to point out what small and medium sized email marketing companies needed to do to ensure a smooth transition. My only defence is that I was not the only person to over-anticipate Brexit.
It is still relevant now, as long as you ignore the publishing date, and is still useful. In the meantime, and there’s been a lot of that, the Information Commissioner’s Office (ICO) has progressively updated its Guidance on how to prepare, and included certain resources.
The point of their Guidance is; “to help small to medium-sized UK businesses and organisations keep personal data flowing with Europe (the EEA) after Brexit.” It starts in a reassuring way for email marketing companies by stating that, in the event of a no-deal Brexit the rules for such organisations will mostly stay the same. You will note that they said mostly, and the rest of the Guidance supports this.
First the good news. If you are a small to medium sized company which does not send or receive data from the EEA (the EU plus Norway, Iceland and Liechtenstein) and have no customers there, then the advice is to ensure you comply with all the recommendations of the GDPR and the Data Protection Act 2018. It is possible that, once the final details are resolved, small modifications might be required. You should keep an eye on the ICO website as nothing is written in stone.
If a business or organisation in the EEA is sending you personal data, then it will still need to comply with EU data protection laws. You will need to take steps to ensure that the data can continue to flow. For most, Standard Contractual Clauses (SCCs) would seem to be the best option. The Guidance explains SCCS and contains an interactive tool to help.
The situation is only a little more complex if you operate in the EEA as well. You will need to comply with the EU regulations and also the UK ones. You will have to discover which European data protection regulator will be your ‘lead supervisory authority’.
In most circumstances a representative in the EEA will be required to act as your local representative. This cannot be your data protection officer. Again, the ICO has a comprehensive guide to local representatives.
Email marketing is, of course, personal data heavy but the ICO considers that we will not have to take any extra steps. This had the caveat of ‘at this stage’ and is an important limitation.
The common theme though the Guidance is that, if you have personal data, you should monitor the ICO website for any updates and changes. The situation is unlikely to be resolved soon. The Guidance rewards careful reading. Anything that is not clear as to the actions required needs to be resolved as soon as possible.
Review your privacy information and documentation. Record all steps you take, including any minor changes required.