As a SaaS Supplier or SaaS customer you will be aware that the UK now has a deadline to leave the EU on or before the 31st of October 2019 (“Brexit”).
In light of the various leaving scenarios of which a “no deal Brexit” is now looking extremely likely, it is highly advisable that SaaS suppliers and SaaS customers take steps, before Brexit occurs, to ensure that they can continue to lawfully process and transfer personal data between the EU and the UK after Brexit.
These actions should be taken regardless of whether there is a “hard Brexit”, “soft Brexit” or “no deal Brexit”.
How to Prepare
The exact measures that SaaS Suppliers and SaaS customers need to take will depend upon the structure of their business. The following factors will determine the actions that need to be taken:
- In which countries offices and employees are located;
- In which countries customers are located;
- From which countries SaaS customers collect personal data that the SaaS supplier processes;
- Where data centres are located;
- Where sub-processors are located;
- Where suppliers and sub-contractors are located;
- Where subsidiaries are located.
Actions to Take Now
Depending upon the above, below are some of the essential actions that SaaS suppliers and SaaS customers will need to take in preparing for Brexit:
- Amend existing data processing agreements – particularly any references to the EU;
- Amend existing privacy policies – particularly any references to the EU and complaints to data protection authorities;
- Amend existing SaaS terms and conditions – particularly any references to the EU;
- Enter into EU standard contractual clauses with any subsidiary, data centre, sub-contractor or sub-processor located in the UK who processes personal data of an individual located in the EU;
- Enter into EU standard contractual clauses with any EU located SaaS customer – to permit the SaaS customer to lawfully transfer personal data to the SaaS supplier for processing in the UK;
- Appoint an EU representative to deal with any data protection complaints made by individuals located within the EU and to assist with investigations carried out by EU data protection authorities.
Further Information Sources
The UK’s data protection authority (the “ICO”) has published guidance for businesses and SMEs on preparing for a no deal Brexit. This includes a ‘six step’ plan, broader guidance, FAQs, and an interactive tool to help businesses assess whether standard contractual clause are an appropriate data transfer solution.
The UK Department for Culture, Media and Sport (“DCMS”) has published guidance for businesses on preparing for a no deal Brexit, which sets out how the law will change to permit UK businesses to continue to process data from individuals located within the EU lawfully after Brexit.
The UK Government has published guidelines for specific types of UK businesses on preparing for a no deal Brexit and measures to take to enable continued trading between the UK and the EU after Brexit.
Any UK SaaS suppliers or SaaS customers should be taking action to ensure that they can continue to lawfully transfer and process personal data collected from individuals located in the EU after Brexit. The ICO and the EU data protection authorities have made clear that there will be no transitional period for adapting data protection compliance after Brexit. Measures must be taken now and should be in place to enable continued compliance with data protection laws from the date of any Brexit.
Irene Bodle is an IT lawyer specialising in SaaS, with over 14 years experience dealing with SaaS, cloud computing matters and IT law issues. If you require assistance with any SaaS agreements, cloud computing matters or any other IT legal issues please contact me at:
To register for my newsletter click here
Other related articles: