What Brexit could mean for GDPR & Data Protection.
There is little doubt that in two weeks time we’ll be done with March. The question remains however, and this is where the uncertainty lies, as we finish with March, will the UK be done with the EU.
So what does this mean for GDPR?
If you happen to know the answer to that question, do let us know. In the meantime, the varying options being explored seem to change on an increasing basis. Will there be a deal, what will it look like, or will it be no deal, are we running out of time? Don’t worry, this is a Noel Edmond pun free zone, I promise.
Having recently attended a Data Protection Brexit briefing, with speakers including the lawyer, who in a previous role, was the Government's lead lawyer during the drafting of GDPR and during the EU Referendum Act and the EU Withdrawal Agreement Bill and other leading data privacy professionals also in attendance; there was a wealth of knowledge throughout the day.
Brexit with a Deal
We’re just getting familiar with the brave new era of Data Protection accountability under the General Data Protection Regulation and the regime of new requirements that this has brought and now we’re leaving the EU.
So what do we need to know about a ‘deal Brexit’ scenario?
With a deal in place, the GDPR will still be active and applicable to the UK throughout the withdrawal transition period, 31st Dec 2020, and organisations processing EU Data will be able to continue with the adequacy agreement afforded as part of the GDPR.
The UK can continue to operate the One Stop Shop with regards to nominating a lead Supervisory Authority.
Both the GDPR applies to the UK as does the UK Data Protection Act 2018 derogations.
If Brexit stalls and does not progress any further, either by the revocation of Article 50 or some other technical means, the UK will remain in the EU and therefore will operate within the guidelines of the GDPR until a withdrawal is completed.
Brexit without a Deal
If the UK leaves the EU without a deal then EU law will no longer be applicable to the UK as of 29th March 2019. In this scenario the UK GDPR will be applied to UK businesses without a footprint within the EU and the EU data protection law, the GDPR, will apply to businesses that do operate in or have customers in the EU.
Sounds complicated right, sadly this only increases because with a no deal Brexit, the UK automatically becomes a 3rd Country which means there will be no agreement between the UK and the EU on the adequacy of the UK's data protection safeguards. To gain adequacy, the UK will need to progress through an application process that is likely to take months, if not years.
What do you need to do?
Brexit and data protection can affect your business in the following ways: -
UK Business with UK Customers
If you are a company that offers services to the UK only, then in any of the scenarios above, the UK GDPR & UK Data Protection Act 2018 will apply to you.
UK Business with UK & EU Customers
If you are a company that serves customers in the UK and the EU, there are a number of things to consider:
Have you established contracts with any EU based processors? As the UK will be regarded as a 3rd country, there will no longer be frictionless data transfer, you will need to have an approved transfer method, for example Standard Contractual Clauses.
Have you set in place provisions for an EU Representative? Whilst the UK was in the EU there wasn't a requirement to have a data protection representative located within the EU. After Brexit, UK businesses that serve EU customers will be required to appoint a representative.
We can help.
If you would like assistance with, training, data processing agreements or help with appointing an EU Rep, please get in touch and find out how we can help bring stability to your personal data processing compliance during these turbulent transitions.