What does Brexit mean for GDPR?
31 January 2020 marked the official withdrawal of the United Kingdom (‘UK’) from the European Union (‘EU’).
The UK will now enter a transition period which ends on 31 December 2020. It is hoped that the next 11 months will allow the UK and the EU sufficient time to negotiate a new relationship.
During the transition period, the GDPR will continue to apply in the UK. However, from the end of December 2020, the GDPR will no longer be part of UK data protection law.
At the end of the transition period, the government will bring the GDPR into UK law (to be known as the ‘UK GDPR’) so that it works in a UK context. However, the impact on particular issues like UK-EU data transfers still need to be agreed with the EU.
Click here for the webinar on The Data Impact of Brexit
ft. data privacy expert Husna Grimes from Humphreys Law
During the transition period, the UK will be looking to secure an adequacy decision from the European Commission (EC). This is a finding by the EC that the legal framework in place in that country provides ‘adequate’ protection for personal data. If adequacy status is agreed, it would mean that data transfers from the EU to the UK could take place without any additional safeguards.
However, there are lots of issues on the agenda (beyond data protection) and the process for securing adequacy can take some time. It is therefore by no means certain that the UK will receive an adequacy decision in time for 31 December 2020.
Without adequacy status, the UK becomes a ‘third country’ (i.e. a country outside the EU) and all data that currently flows to the UK under the GDPR will become restricted. This means that other mechanisms, such as standard contractual clauses, will need to be put in place to ensure that data can continue to flow into the UK.
What should businesses be doing to prepare?
Although it is technically ‘business as usual’ during the transition period while the GDPR still applies in the UK, there are a few key steps that businesses should take before 31 December 2020.1. Understand which laws will apply to you.
If you operate inside the UK, you will need to comply with the UK GDPR.
However, the GDPR may still apply directly to you if you operate in the EU, offer goods or services, or monitor the behaviour of, individuals in the EU.
The GDPR will also continue to apply to any organisations in the EU that send you data, so you should think about how they can transfer personal data to the UK (now a ‘third country’) in line with the GDPR.
For non-EU or -UK businesses, both the UK GDPR and the GDPR may apply if you have contacts and customers in both the UK and the EU.2. Understand your data flows.
No matter where your business is based, it is essential to understand your international flows of personal data to identity any transfers that may be affected by Brexit. Key transfers to identify will be from the European Economic Area (‘EEA’) to the UK. We have looked at the impact on certain transfers below:
UK to EEA
The UK government has confirmed that transfers of data from the UK to EEA will not be restricted.
EEA to the UK
As explained above, the UK becomes a ‘third country’ at the end of the transition period.
In the absence of securing an adequacy decision, other safeguards will need to be in place to ensure that data can continue to flow from the EEA to the UK, in accordance with GDPR rules.
The simplest way for businesses to do this is to enter into standard contractual clauses with the sender or recipient of the personal data. These are a set of data protection clauses approved by the EU to be included in commercial contracts. There are different versions available depending on whether the data is shared with another controller, or if there is a transfer from a controller to a processor.
Multinational group companies might also look at their existing Binding Corporate Rules to make transfers into and out of the UK. These would need to be updated to reflect the UK’s status as a third country on exit date.
UK to the US
For UK companies currently relying on the EU-US Privacy Shield to transfer personal data to US organisations, they can continue to do so after the transition period provided:
- The Privacy Shield organisation has updated its public commitment to comply with the Privacy Shield to include the UK.
- Organisations maintain a current Privacy Shield certification, re-certifying annually as required by the Privacy Shield Framework.
For US organisations wanting to rely on the Privacy Shield to receive data from the UK after 31 December 2020, further guidance (including example language to include in their updated public commitment) can be found on the Privacy Shield website.
Appointing an EU representative:
If you are based in the UK without a branch or office in any EU or EEA state and either offer goods or services to individuals in the EEA, or monitor the behaviour of individuals in the EEA, you will need to appoint a representative in the EEA from the end of the transition period EU representative.
Appointing a UK representative:
If you are based outside the UK but offer goods or services to individuals located in the UK, or monitor their behaviour in the UK, you may need to appoint a UK representative.
Again, if you are based outside the EEA and the UK but offer goods or services to individuals located in these jurisdictions, you will need to appoint both a UK representative and an EU representative.
If you’re doing business in the UK and the EU, it is important not to sit back and wait for the transition period to end. Businesses should carefully map out all data flows and properly understand which rules apply to them so that appropriate steps can be taken to allow for data transfers to continue on an unrestricted basis. There will be lots of other areas to consider that have not been addressed in this article but the steps outlined above will be a good starting point.
The article was prepared by Humphreys Law. None of the above constitutes legal advice. None of the above should be relied upon. Always seek your own independent professional advice.