Brexit and Data Protection
What will the impact of Brexit be on data protection and the new GDPR rules brought in by the European Union? Commercial contracts specialist, Rachel Atherton explores some of the more common questions below.
Will the GDPR continue to apply?
Yes. The GDPR is an EU regulation but the UK government’s intention is that the EU Withdrawal Act 2018 would incorporate the GDPR into UK law.
What about the Data Protection Act 2018?
The Data Protection Act 2018 will continue to apply following Brexit.
What happens under the Withdrawal Agreement?
Largely, the intention in the Withdrawal Agreement is to preserve the status quo until the end of 2020 (during the transition period). The draft Political Declaration states that the European Commission will work towards adapting an adequacy decision by the end of 2020, which is important to ensure the free flow of personal data from the European Economic Area (EEA) to the UK after the end of the transition period. Similarly, the UK will be establishing its own regime for the transfer of personal data to the EU.
The UK Parliament must approve the Withdrawal Agreement for it to take effect. The vote is scheduled for 15th January 2018.
What if there’s a “no deal” Brexit?
On a no deal Brexit, personal data will no longer be able to flow freely between the European Economic Area and the UK. Whilst the UK Government has made it clear that it intends to permit the transfer of personal data from the UK to the EEA, transfers of personal data to the UK will be affected.
Businesses should look at the data flow they identified during GDPR compliance planning and identify any processes which require the transfer of personal data from the EEA to the UK and ensure they have appropriate adequacy measures in place. For example, you may need to put in place standard contractual clauses. Depending on what kind of personal data is being transferred, and from which jurisdiction, you may need to seek the approval of the local supervisory authority. In these circumstances you should seek local legal advice. The government does intend to seek an “adequacy decision” for the UK, which when it is obtained, will mean that personal data can flow freely once more. However, this is unlikely to be in place before the UK leaves the EU on 29 March 2018 so you should put in place other measures in order to comply with the law if there is no deal.
If you offer goods and services into the EU or any EEA state you will need to comply with the EU regime and will need to appoint a suitable representative in the EEA.
For further information see the ICO’s guidance for data protection compliance in a no deal Brexit here.