Brexit and the GDPR: what will happen to data transfers and data protection?Alexander Edwards, partner at Rosling King, discusses the ongoing challenges Brexit poses to data transfers and data protection and what companies and organisations need to be aware of come exit day.
The continuing uncertainty over Brexit means that there is still apprehension over what will happen to data transfers and data protection after the UK leaves the EU, particularly for businesses that transfer data across EU territories.
Whilst the UK government has committed to incorporating the EU GDPR into domestic UK law on exit day, meaning GDPR will continue to apply as it stands, there are still a number of key issues businesses must be aware of.
It is important to stress that in the event there is a deal, it is likely that there will be a transition period during which the GDPR will continue to apply. However, at the end of that transition period, the default position would nonetheless be the same as for a no-deal Brexit, although the transition period will allow for key issues to be dealt with and further guidance to be published.
In the event of a ‘no deal’ from the outset, companies would still need to comply with GDPR – given the Government has put in place a law that would implement EU GDPR which is tailored specifically to the UK and this would sit alongside the Data Protection Act 2018. However, EU law will require additional measures to be put in place where personal data is transferred from the EEA to the UK.
There are a number of scenarios which can pan out which businesses and organisations must be aware of and act accordingly:
1. A UK business or organisation who has no contacts or customers in Europe
If this is the case, companies should already be compliant with GDPR and on that basis, there isn’t much which needs to be done to prepare for Brexit. As the UK government has committed to incorporating the EU GDPR into UK domestic law from exit day, GDPR will continue to apply as it stands. Many of the data protection rules affecting small to medium-sized businesses with no contact or customers in Europe will therefore stay the same.
However, it is good practice for the business to carry out a thorough review of its privacy information to identify any minor changes that may need to be made after Brexit to ensure references to GDPR are UK specific.
2. A UK business or organisation who sends data to the EEA
Data can still continue to flow in this case. The UK government has stated that data transfers to the EEA will not be restricted, meaning that if a UK business is sending data to the EEA it will still be able to do so without the need to take additional steps at this stage. The position should be kept under review by companies.
The GDPR and Brexit
3. A UK business or organisation who receives data from the EEA
• If there is a no-deal scenario, action needs to be taken in conjunction with the EEA business for data to continue to flow following exit day.
• If a business or organisation (including a sole trader, individual contractor or consultant) acting as a data controller within the EEA is sending personal data to a UK business then this data processing will need to comply with EU GDPR.
• For most businesses and organisations, you should look to implement a simple data transfer agreement or contract with the EEA business on EU-approved terms by incorporating the EU commission approved standard contractual clauses. This should be implemented before exit day.
4. A UK business or organisation with a European presence or with European customers
• If the UK business has offices, branches or other establishments in the EEA, those European activities will still be covered by EU law, even after Brexit. The ICO advises that the business should check which European data protection regulator will be their ‘lead supervisory authority’.
• In most cases where the UK business has a European presence or provides services to individuals in the EEA (even if they are a UK business with no offices in the EEA), the business will need to appoint a suitable representative within the EEA and will need to comply with the EU GDPR in relation to these activities. The representative will act as the business’ local representative with individuals and data protection authorities in the EEA.
5. UK businesses and organisations who send or receive data to or from countries outside Europe
• If you already transfer data to countries outside of the EEA where the EU has already made an adequacy decision, then the position will remain the same. The UK government has confirmed that they will recognise existing EU adequacy decisions and EU–approved transfers safeguards. This means that transfers from the UK to those adequate countries can continue uninterrupted but must be kept under review as the EU may subsequently grant an adequacy decision to a country which the UK might not choose to adopt.
• However, the position in respect of transfers of data from those countries outside of the EEA but which are subject to an EU adequacy decision remains under review. Individual countries will need to determine how they see the UK’s data protection regime after Brexit and what impact that may have for data flows to the UK. The hope would be that as the UK will broadly follow the EU GDPR following exit day, the free flow of data will continue.
• In terms of the transfer of data from the UK to countries outside of the EEA which are not subject to an adequacy decision, companies will need to continue to comply with the “restricted transfer” provisions set out in the data protection legislation. Future arrangements with such companies and whether an adequacy decision is subsequently granted will be a matter for the UK government.
Brexit, GDPR and the flow of data: there could be one winner and that’s the cybercriminal
There are risks associated with Brexit concerning the flow of data, the UK may not necessarily pass an adequacy check under GDPR, and in the uncertainty that unleashes, cyber criminals may swoop. Read here
The UK will most certainly apply for ‘adequacy status’, thereby avoiding the UK from being classified as a “third country” by the EEA.
This would simplify the issue of data transfers from the EU to the UK post exit day. However, adequacy decisions are subject to periodic review, in order to create business certainty, individual safeguards should be adopted by bespoke agreements, clauses or contracts.
Irrespective of the political situation in the UK, all companies should continue to make sure they comply with the GDPR as it currently applies. Companies should also identify existing relationships, including those with supplier and group companies, involving the transfer of personal data.
Depending on how political events unfold, it should be considered — upon review — if any amendments need to be made to any privacy information and documentation to identify any minor changes that may need to be made to the internal business in the event of a no deal Brexit. And companies should look to work with any counterparts in the EEA which will continue to transfer data to the UK post exit day. The biggest concern is to keep data flowing.
As the uncertainty looms across the market, the future does look daunting. However internal preparation and keeping up to date with the latest information and guidance has never been more important as any preparation now should stand the company in good stead when exit day does finally arrive.
Companies should continue to monitor the ICO’s website for further guidance on this topic as the political situation in Westminster develops.