Logo Header Menu

The GDPR and Brexit

James Castro-Edwards, Partner and Head of Data Protection at Wedlake Bell, discusses the three possible outcomes for GDPR post-Brexit, dependent on whether we get a deal or not The GDPR and Brexit image

Background

It is difficult to think of a piece of legislation that has generated as much publicity as the European General Data Protection Regulation, or GDPR, which took effect on 25th May of this year. The GDPR imposes stringent obligations upon organisations that process ‘personal data’ –information by which living individuals may be identified – and includes large fines for those that fail to comply. In the run-up to the GDPR, operators in the private, public and third sectors have invested vast resources in compliance. Yet, within less than a year of the GDPR becoming binding law, organisations face further upheaval as the United Kingdom exits the European Union.

What would a no deal Brexit mean for techs?

“It won’t be the end of the world”, said the head of the WTO, reassuringly, about a no deal Brexit. Brexit Secretary Dominic Raab has outlined what he calls “practical and proportionate” advice and detailed papers on what such an outcome might mean, but what are the implications for techs?

Data protection and the regulatory environment in the U.K.

Organisations in the EU that process information about living individuals, whether they are employees, customers or suppliers, must comply with the GDPR. In the UK, the GDPR is supplemented by the Data Protection Act 2018, which enables the GDPR to properly function as national law. The GDPR and the Act are both enforced by the Information Commissioner, acting through the Information Commissioner’s Office, or ICO.

The ICO is an active regulator, issuing a wealth of guidance, intended to help organisations comply with their obligations. However, for those that fail to comply, the ICO can and will issue heavy penalties. Recent months have seen a significant increase in the magnitude of fines, with Facebook and Experian both issued with monetary penalties of £500,000, the maximum under the Data Protection Act 1998, which was in force when the offending breaches occurred. Had the breaches taken place after 25th May, when the GDPR took effect, those fines could have been significantly higher. Businesses beware: The ICO is no ‘soft touch’.

Both the ICO and the U.K. government have consistently confirmed that the GDPR will remain law in the UK post-Brexit and will continue to be enforced by the ICO.

Brexit White Paper: techUK calls for clarity on digital services

techUK’s Head of Policy for Brexit, Giles Derrington, gave evidence to the Brexit Select Committee, today, following the publication of the Government’s White Paper – he highlighted the need for clarity on digital services

Data Protection implications of Brexit

The GDPR, like the Data Protection Act 1998 before it, allows personal data to be shared between EU Member States but prohibits the transfer of personal data to ‘third countries’ outside the EU that do not ensure adequate protection. After Brexit, in the absence of an adequacy finding by the European Commission (explained below) the UK will become a ‘third country’ to which the transfer of personal data will be prohibited. This prohibition would operate to prevent controllers in EU Member States from transferring personal data to the UK, even between group companies, unless there is an appropriate data transfer solution in place.

The GDPR includes provisions that enable the European Commission to issue a decision of adequacy where a country is able to demonstrate that it has adequate data protection laws, and an independent and effective data protection authority. An adequacy decision means that controllers in EU Member States can freely transfer personal data to the approved third country as though it were another Member State.

Based on the criteria set out in the GDPR, the UK should theoretically meet the criteria of an ‘adequate country’, however, this is a politically-charged issue, and it is by no means a foregone conclusion that an adequacy decision will be made. To complicate matters further, the UK is seeking an ‘enhanced adequacy decision’, which would enable the ICO to continue to participate in the European Data Protection Board, which aims to ensure the consistent application of the law.

Possible outcomes

There are three possible outcomes in relation to the UK’s application for an adequacy decision:

  1. No deal: The UK becomes a third country, to which EU Member States may not transfer personal data unless there is a legal data transfer solution in place (explained below).
  2. Adequacy decision: The UK is recognised as an approved country, to which personal data may freely be transferred from EU Member States. However, the ICO would not participate in the European Data Protection Board, which could result in an inconsistent approach between the ICO and European regulators.
  3. Enhanced adequacy decision: The UK is recognised as an approved country and the ICO would participate in the European Data Protection Board. Needless to say, this proposal by the UK government has met resistance from the EU.

Note that controllers in the UK would not be prevented from transferring personal data to EU Member States.

Will the UK’s tech sector take Brexit in its stride?

Despite all the uncertainty surrounding Brexit, the UK technology sector is still attracting high-skilled global talent

How to prepare

Any non-compliant UK companies that may be hoping the GDPR will be swept away by Brexit will be sorely disappointed. The GDPR is here to stay, and it will continue to be actively enforced by the ICO post-Brexit. In Europe, organisations will be prohibited from sending personal data about their employees, customers and suppliers to the UK, even to members of the same corporate group without a data transfer solution in place. The GDPR recognises a variety of data transfer solutions, which enable the transfer of personal data from Europe to recipients in third countries, but their implementation requires a degree of expertise.

It is as difficult to predict if, and when, an adequacy decision will be made as it is to predict the outcome of Brexit itself. A prudent approach for businesses may be to plan for the worst and hope for the best, with a data transfer solution at the ready should the UK leave the EU and become an unapproved third country.

Written by James Castro-Edwards, Partner and Head of Data Protection at Wedlake Bell

Latest news

divider
Retail
The challenges of e-commerce: The internal blame game costing retailers thousands

The challenges of e-commerce: The internal blame game costing retailers thousands

23 August 2019 / Investing in eCommerce capabilities is no longer a choice for retailers, its essential. But the [...]

divider
Cybersecurity
Simulation software: protecting your organisation during a sustained period of cyber war

Simulation software: protecting your organisation during a sustained period of cyber war

22 August 2019 / We’re in the midst of a cyber war that threatens every single business and the [...]

divider
Emerging Technology & Innovation
London’s demand for emerging tech skills could create North-South divide

London’s demand for emerging tech skills could create North-South divide

22 August 2019 / There are currently 422,000 professionals with emerging tech skills, including data analytics, artificial intelligence (AI), [...]

divider
Blockchain
Are blockchain-based smart contracts stupid?

Are blockchain-based smart contracts stupid?

22 August 2019 / Blockchain-based smart contracts are getting more than their fair share of attention in the media [...]

divider
Communications & Networking
5G network infrastructure revenue to reach $4.2 billion in 2020 — Gartner

5G network infrastructure revenue to reach $4.2 billion in 2020 — Gartner

22 August 2019 / 5G has dominated headlines of late, for both positive and negative reasons. Questions have been [...]

divider
Cyber Innovation
Random numbers for the quantum computing world, has Crypta Labs really cracked it?

Random numbers for the quantum computing world, has Crypta Labs really cracked it?

21 August 2019 / There seem to be lots of holy grails these days and lots of companies claim [...]

divider
Emerging Technology & Innovation
Change your customer and employee experience using AR and VR

Change your customer and employee experience using AR and VR

21 August 2019 / Augmented reality (AR) and virtual reality (VR), although limited at the moment, will be a [...]

divider
Governance, Risk and Compliance
Technology, regulation and the law: don’t be caught out. An example

Technology, regulation and the law: don’t be caught out. An example

21 August 2019 / Technology, regulation and the law Near-perfect examples of this phenomenon are “language technologies” — those [...]

divider
Diversity
Investors must embrace diversity now

Investors must embrace diversity now

20 August 2019 / Venture capitalists (VCs) play a vital role in shaping the future. Although the VC industry [...]

Do NOT follow this link or you will be banned from the site!

Pin It on Pinterest