Payroll professionals have to decipher and adapt what guidance is out there. When considering management of data transfer, Brexit is no exception.
Data Protection Regulations have been around for a long time, and most organisations are compliant, the General Data Protection Regulation (GDPR) being an extension of existing regulations. When it comes to management of personal data, the payroll profession prides itself on confidentiality, and there are many unanswered questions and many grey areas related to the GDPR guidance.
The UK, regardless of the Brexit position, is bound by the GDPR, and as a result organisations have been polishing up data management and their application to the Data Protection Act, by tightening up on encryption of documents and emails which contain personal data.
Now consider global business: there are significant occurrences of cross-border data transfer. While the GDPR covers all member European Union (EU) states, global organisations are likely to store data in further afield global locations. However, as confirmed by the European Commission (EC), the protection provided by the GDPR travels with the personal data, no matter its destination.
In such circumstances, diligence is required to check if an EC Adequacy Decision is in place. In a nutshell, this means that an arrangement is in place to ensure relevant safeguards to protect the data leaving the EU.
In the absence of such an arrangement, it does not mean that UK business is unable to transfer the data, but sufficient safeguards still need to be put in place. The Information Commissioner’s Office provides guidance related to what is regarded as a third country transfer. Until we know what the government decides in terms of a Brexit exit deal, however, we can’t be sure if the current guidance will change or remain the same. If only we had a crystal ball.
Elaine Gibson is education director at the Chartered Institute of Payroll Professionals (CIPP).