In light of the various leaving scenarios currently being discussed of which a “no deal Brexit” is looking likely, it is essentail that SaaS suppliers and SaaS customers take steps now to ensure that they can continue to lawfully process and transfer personal data between the EU and the UK following Brexit.
These actions should be taken regardless of whether there is a “hard Brexit”, “soft Brexit” or “no deal Brexit”.
How to Prepare
The exact measures SaaS suppliers and SaaS customers need to take will depend upon the structure of their businesses:
- In which countries you have offices and employees
- Where SaaS customers are located
- From which countries SaaS customers collect personal data that is to be processed
- Where a SaaS supplier’s data centres are located
- Where any sub-processors are located
- Where any suppliers and sub-contractors are located
- Where subsidiaries are located
Actions to Take
Depending upon the above, SaaS suppliers and SaaS customers may need to:
- amend existing data processing agreements – particularly any references made in them to the EU;
- amend existing privacy policies – particularly any references made to the EU;
- amend existing SaaS agreement terms and conditions – particularly any references made to the EU;
- enter into EU standard contractual clauses with any subsidiary, data centre, sub-contractor or sub-processor located in the UK who processes personal data relating to an individual located in the EU;
- enter into model contract clauses with any EU located SaaS customer – to permit the SaaS customer to lawfully transfer personal data to the SaaS supplier for processing in the UK;
- appoint an EEA representative as required under the GDPR to deal with any data protection complaints made by individuals located within the EU or assist with investigations carried out by EU data protection authorities.
Further Information Sources
The UK’s data protection authority (the “ICO”) has published guidance for businesses and SMEs on preparing for a no deal Brexit. This includes a ‘six step’ plan, broader guidance, FAQs, and an interactive tool to help assess whether standard contractual clause are an appropriate data transfer solution.
The UK Government has released business advice guidelines for a no deal Brexit that applies to UK businesses trading with the EU generally.
Whether you are a SaaS supplier or SaaS customer you should be taking action now to ensure that you will be able to continue to lawfully operate your business in relation to the UK and EU (in particular transferring personal data from the EU to the UK) after Brexit.
Irene Bodle is an IT lawyer specialising in SaaS, with over 14 years experience dealing with SaaS, cloud computing matters and IT law issues. If you require assistance with any SaaS agreements, cloud computing matters or any other IT legal issues please contact me at:
To register for my newsletter click here
Other related articles: