Currently a “no deal Brexit” is looking likely for the 31st of October 2019. It is therefore essential that SaaS suppliers and SaaS customers take steps now to ensure that they can continue to lawfully process and transfer personal data between the EU and the UK following a no deal Brexit.
The exact measures SaaS suppliers and SaaS customers need to take will depend upon the structure of their businesses and their personal data flows:
- The locations of offices and employees
- Where SaaS customers are located
- From which countries SaaS customers collect personal data that is to be processed
- Where data centres are located
- Where any sub-processors are located
- Where any suppliers and sub-contractors are located
- Where subsidiaries are located
- Where the Data Protection Officer is located
Preparing for a “No Deal” Brexit
Depending upon the company’s structure and it’s data flows, before Brexit occurs, SaaS suppliers and SaaS customers need to take the following actions:
- amend existing data processing agreements;
- amend existing privacy policies;
- amend existing SaaS agreement terms and conditions;
- enter into EU standard contractual clauses with SaaS customers, subsidiaries, suppliers and sub-contractors to ensure data transfers from the EU to the UK and from the UK to outside the EEA continue to be lawful after Brexit;
- check the location of any GDPR appointed Data Protection Officer;
- appoint an EU representative located in the EU to deal with EU complaints.
Further Information Sources
The UK’s data protection authority (the “ICO”) has published guidance for businesses and SMEs on preparing for a no deal Brexit. This includes a ‘five step’ plan, broader guidance, FAQs, and an interactive tool to help assess whether standard contractual clause are an appropriate data transfer solution.
The UK Government has released business advice guidelines for a no deal Brexit that applies to UK businesses trading with the EU generally.
Whether you are a SaaS supplier or SaaS customer you should be taking action now to ensure that you will be able to continue to lawfully operate your business in relation to the UK and EU (in particular transferring personal data from the EU to the UK) after a no deal Brexit.
Irene Bodle is an IT lawyer specialising in SaaS, with over 14 years experience dealing with SaaS, cloud computing matters and IT law issues. If you require assistance with any SaaS agreements, cloud computing matters or any other IT legal issues please contact me at:
To register for my newsletter click here
Other related articles: