The Irish Government’s news department, Merrion Street, has issued an update regarding the storage of personal data by Irish companies in or on UK based cloud systems.
By way of preparedness, especially where the UK leaves the EU without a deal, the Government is advising that those companies who may be storing personal data, such as HR or client mailing lists, in the UK or using UK based systems, look closely at their current systems for compliance with the latest data protection rules, and adjust them as required.
Latest Irish Government advice:
- The General Data Protection Regulation (GDPR) is an EU-wide standard for protecting people’s data and sets out the high standards of data protection and obligations that all businesses must meet when processing the personal data of customers and employees.
- With the UK due to leave the EU, the Irish Government is working with EU partners to ensure protection is in place for cloud personal data transferred post-Brexit.
- If your business involves the transfer of personal data to or from the UK, you must ensure that the necessary protections are in place so that you can continue to transfer personal data post-Brexit.
- This includes transfers such as mailing lists if you have UK based clients, or employee data if you use a UK-based payroll firm etc. It also includes data storage and website hosting where this involves personal data.
- Data protection and commercial transfers of personal data are regulated at the EU level and there is a range of measures that enable such transfers to and from third countries .e.g. special contractual clauses, binding corporate rules and approved codes of conduct
- All companies are advised to review their existing processes and contracts to assess whether they involve data transfers to the UK and to ensure compliance with data protection regulations.
The Data Protection Commission has provided a clear position about Brexit and personal data transfers in the event of a no-deal Brexit…
‘Care is required to ensure that, operationally, transfers are conducted and managed in a way that ensures that personal data is at all times protected to the level contemplated by the GDPR and that the obligations assumed by the parties under the terms of their SCCs contract are in fact discharged in practice. Like all other elements of the data processing arrangements of a business, planning is required to ensure compliance with GDPR requirements generally’.
The Data Protection Commission website is worth reviewing regulary for the latest guidance HERE.
For further general (and updated) Brexit guidance by the Government click HERE.
If you wish to discuss or receive advice about your responsibilities regarding Brexit and any cloud connection in terms of personal data, call me, Donnacha Anhold at Carter Anhold & Co., Solicitors (Sligo and Dublin) at +353 71 9162211.