Personal data issues arising from the UK’s departure from the EU are 'broad and deep' – and Irish businesses that ignore these issues do so 'at their peril' in the event of a hard Brexit, Ireland’s data protection commissioner (DPC) has warned.

Speaking at the ‘Brexit and Data Protection’ event – organised by DCU’s Brexit Institute and sponsored by AIB, Arthur Cox, Grand Thornton and Dublin Airport Central – data protection commissioner Helen Dixon said there is a reasonable level of awareness and preparedness among Irish businesses now ahead of Brexit.

If there is a ‘no deal’ Brexit on October 31, it will immediately affect the free flows of personal data between Ireland and the UK, and north and south on the island and Ireland, as the EU law will immediately recognise the UK as a ‘third party’ country under the EU Data Protection Law.

A 14-month ‘breathing space’

If it is an orderly Brexit, there will be a 14-month ‘breathing space’ or transition period to address some of the issues relating to the transfers of personal data from the UK to the EU and vice versa.

However, after this transition period, we will move into an area of uncertainty when it comes to data protection issues, said Dixon.

“The data issues, and in particular, the personal data issues that arise with the UK’s departure from the EU are non-trivial and they’re both broad and deep,” she said.

“Personal data, as you all know, is involved in everyday transactions between the UK and Ireland, including on the island of Ireland, between north and south.

“And it arises in the context of immigration and asylum, law enforcement in particular, security and intelligence, all types of trade and commerce, banking, medicine, sports administration, tax, tourism and so on.

“Up to now, we’ve simply never had to think about the jurisdictional implications, from personal data flows from Ireland to the UK, including Northern Ireland, and vice versa, as the EU Data Protection law guaranteed those free flows of personal data within the EU and in fact the broader European Economic Area.

“While EU Data Protection Law guarantees the free flows of personal data within the EU, it conversely then prohibits transfers of EU personal data outside of the EU and that is unless it can be demonstrably ensured that the level of protection guaranteeing by EU law isn’t undermined.”

Since the Brexit referendum, the Office of the DPC has been working with businesses and public sector bodies to prepare for Brexit.

“We’ve been working hard as an office in the last number of months to prepare public sector bodies and SMEs and micro-enterprises, in particular for the new and immediate requirements in the event of a ‘no deal’,” she said.

Come under DPC’s jurisdiction for regulation

Interestingly, Dixon added that several major companies in the UK have made arrangements to allow themselves come under the DPC’s jurisdiction for regulation.

Post-Brexit, Dixon warned businesses, who don’t prepare for Brexit and changes to data protection laws and requirements, that individuals can report businesses for non-compliance to the Office of the DPC, and penalties could be heavy. It is worth business’ time to prepare now, ensuring this scenario won’t occur, she told the event.

Dixon also made the observation that the only difference between a deal and no deal Brexit scenarios - in terms of data transfers between the UK and EU – is time.

When the UK leaves the EU, they will adapt a law saying EU data flowing into the UK is fine. But data flows from the UK to the EU will be treated differently, as EU law will recognise the UK as a ‘third party’ country post Brexit.

For a full report, check out the DCU Brexit Institute Blog here: