What does Brexit mean for GDPR?
The UK is all set to leave the EU on Friday 31 January at 11pm. So, does this mean that all your painstaking work getting your internal processes and procedures GDPR compliant, training your staff on data protection and updating your Privacy Policies was all for nothing? The answer, in short, is – no.
From Friday, the UK will enter a ‘transition period’ until 31 December 2020. The ICO has confirmed that during this period the GDPR will continue to apply in the UK and you won’t need to take any immediate action – which is very good news! You should therefore continue to follow existing ICO guidance on the GDPR.
What happens after the transition period?
Post-Brexit, EU Regulations will not have effect in the UK. But, the GDPR will be brought into UK law as the ‘UK GDPR’. This legislation replaces references to EU member states, institutions and decisions so that the GDPR can operate effectively. Most of the rules, including the data protection principles, the rules on special categories of data and data subjects’ rights, will remain unaffected.
There may be further developments during the transition period, depending on negotiations between the UK and the EU – so keep an eye out for any updated ICO guidance during this period.
How will Brexit affect you in practice after 31 December 2020?
If you operate in the UK, you will need to comply with UK data protection law (i.e. the UK GDPR and the Data Protection Act 2018).
The EU GDPR is not changing, so if you are a UK-based business offering goods or services into the EEA (whether as data controller or processor), then you will still be required to comply with the EU GDPR in order to fulfil your legal obligations arising out of your outbound activity. You may also need to appoint a representative in the EEA from the end of the transition period.
Controllers based outside the UK may be required to appoint a representative in the UK.
The ICO will continue to be responsible for supervising and enforcing domestic data protection legislation in the UK but will cease to be a ‘supervisory authority’ for the purposes of the EU GDPR. If you operate in the EU, you should therefore consider appointing a lead supervisory authority (i.e. an ICO equivalent) outside the UK.
We would recommend that you ensure that your privacy policies and privacy notices are updated to reflect changes to international transfers; to amend references to ‘EU law’ and/or other terminology changes; and to update and be clear on the details of representatives (subject to where current Brexit negotiations land).
Will there be any restrictions or additional obligations placed on UK business when transferring data to and from Europe after 31 December 2020?
The government has said that transfers of data from the UK to the EEA will not be restricted.
However, if the UK fails to reach a trade deal with the EU by 31 December 2020, the freedom to transfer data between the UK and the EU will end and the UK will become a ‘third country’ for the purposes of data protection law. GDPR transfer rules will then apply to data coming from Europe into the UK. You will therefore need to have appropriate safeguards in place, such as standard contractual clauses, to cover EU-UK data transfers.
What if you share data with the USA?
Please contact the TMT team if you would like any advice or assistance in relation to the above.