Brexit and GDPR, are all bets off?

July 4, 2019

There are many ideas regarding how Brexit will actually operate, and what its impact on data protection may be. Something everyone can agree on is that no one knows for sure in reality, what this will be.

It is essential for businesses to be ready for all likely changes, or at the very least, minimise any liabilities or exposure to the uncertain economic climate.

Data Protection in the UK

The General Data Protection Regulation (“GDPR”) came into force on 29 May 2018. This presented a fundamental change in data protection law. It was transposed into UK law by the Data Protection Act 2018, which repealed the 1998 Act. There are significant obligations on both controllers and processors of personal data and new rights for individuals. In addition, new types of personal data are also recognised.
GDPR and data protection legislation only apply to the processing of personal data. Personal data includes any data that can identify a living individual, or data along with other content held by a controller that could identify a living individual.

The proposed withdrawal agreement would have preserved the status quo in relation to data protection terms, at least until the end of the transition. The agreement has been rejected by Parliament. Whilst Teresa May was under a mandate to negotiate the changes to the agreement with the EU, following her resignation and until another PM is appointed, the situation remains at a stand-still.

If the UK leaves the EU without a deal, the implications for international data flows and privacy compliance may be severe. Companies should prepare for the eventuality of a no-deal Brexit.
The European Union Withdrawal Act 2018 brings GDPR into domestic law. The draft “DP Exit Regulations 2019” make some amendments to the GDPR, enabling it to operate when the UK leaves the EU and combine it with the Data Protection Act 2018.

As a third country without an “adequacy finding” by the European Commission, the UK will automatically be regarded as unsafe regarding personal data originating from the EU, and will be required to be legitimised by the EU. It would represent a huge disruption in comparison to the current easy flow between the EU and UK. This will require identifying current and future EU-UK data transfers and ensuring that companies become a “safe importer” of data through transfer agreements, or through binding corporate rules or model clauses.

What should businesses be doing now?

Business should notify clients on whose behalf they can process the data of EEA citizens, where the UK will be a third country, under GDPR. If that client does not have binding corporate rules, the parties may have to either amend the contract or incorporate a data processing schedule.

The UK government has confirmed that it will transitionally recognise all EEA countries as “adequate” for data transfers from the UK. Any countries with an adequacy decision on Brexit day will continue to have adequacy status for transfers from the UK. This decision has been made only on a transitional basis until the UK government issues its own adequacy rules. The ICO will also issue new standard contractual clauses. Data transfer to the EU or adequate jurisdictions – including to organisations covered by the Privacy Shield (“the USA”) – should be a non-issue, but onward transfers of EU data might be problematic. Any contractual arrangements imposed on UK businesses to legitimise data transfers are likely to require the same obligations to be passed on to any third parties that process the data on the businesses’ behalf. Existing arrangements may need to be revised.

There are many other factors to be considered in light of Brexit and its effect on GDPR. For more information or if you have any queries, please do not hesitate to contact Michael King. He is a director in our Dispute Resolution Department and Data Protection Practitioner.

This article has been produced for general information purposes and further advice should be sought from a professional advisor. Please contact our Data Protection/Intellectual Property Team at Cleaver Fulton Rankin for further advice or information.

Michael King, Director, Intellectual Property Team, Cleaver Fulton Rankin, Solicitors.