The implications of Brexit on personal data flows and GDPR
Data protection and data flows between the United Kingdom (UK) and the European Economic Area (EEA) will be impacted by Brexit. The uncertainty surrounding the UK's method of withdrawal from the European Union (EU) means that businesses maintaining personal data flows between the jurisdictions must be prepared for all eventualities, in order to ensure continued compliance with the changing law.
The implementation of the General Data Protection Regulation 2018 (GDPR) has enabled the unrestricted flow of personal data within the EU and EEA. The GDPR governs UK data protection law and harmonises the way that businesses process, protect and manage the personal data of customers, citizens and employees. A no-deal Brexit or a departure under an agreement between the UK and EU are the two possible outcomes, and businesses should familiarise themselves with the implications of both scenarios.
If the UK leaves the EU with a deal that follows the Withdrawal Agreement then businesses can be assured of legal continuity, with personal data flowing freely between the jurisdictions for a period of at least 20 months after the departure date. The GDPR will continue to apply throughout the transition period, and beyond, in relation to data commenced before the end of the transition. During the transitional phase, the EU will carry out an adequacy assessment for the UK which, if passed, will enable the free flow of data from the EU to the UK post- Brexit. This outcome is likely, following an agreement, as the Data Protection Act 2018 (DPA) provides a level of data protection that is essentially equal to the EU. Therefore, a Brexit under the terms of the Withdrawal Agreement should enable businesses to continue their current data protection regime, as long as they maintain compliance with the GDPR and any new regulations that come into force.
In the event of a no-deal Brexit, the UK will not be afforded the luxury of a transition period or continued legal certainty surrounding data protection arrangements beyond the departure. EU law requires additional checks when data is transferred from EEA in order to make them lawful. However, most of the data protection rules affecting businesses will remain the same. This is because the DPA will continue to apply and the GDPR will automatically be transposed into UK law on departure.
The UK government does not intend to apply restrictions on data flows to the EEA, so businesses sending data to the EU can continue to do so regardless of the departure scenario. While the UK are expected to conduct their own adequacy requirements in the future, businesses can profit from the certainty that they can carry on their data flows to the EU post- Brexit.
The EU will not be returning the favour and businesses should be aware that personal data flows from the EEA to the UK will be restricted following a no-deal Brexit. This will cause major disruption to businesses regularly transferring personal data to the UK. Until the UK secure an adequacy finding from the EU, businesses will need to comply with both UK and EU versions of the GDPR when transferring data from the EU to the UK.
The Information Commissioner's Office (ICO) are the independent supervisory authority on data protection in the UK. It advises that after the UK leaves the EU, businesses should carry out additional checks if they receive any personal data from a business or organisation in Europe. In addition, businesses should ensure that they have the correct documentation to keep that data flowing. The most relevant documentation for the majority of businesses will be the standard contractual clauses found in contracts. They should contain model data protection clauses that have been approved by the EU, and enable personal data to flow freely if it is embedded in the contract.
The ICO have identified 6 steps that businesses should take on departure:
- Continue to comply with GDPR standards and follow current ICO guidance relating to it.
- Review data flows and identify flows from the EEA to the UK. Assess the GDPR safeguards you can put in place to ensure that data can continue to flow after Brexit.
- Review data flowing from the UK to any country outside the UK as these will fall under new UK transfer and documentation provisions.
- Review your European structure, processing operations and data flows.
- Review privacy documentation and internal documentation to identify any details that needs updating.
- Ensure that important members of the business are aware of the key issues and keep up to date with the latest information and guidance.