How will Brexit impact GDPR?
Posted on 8 Oct 2019
Update: Boris Johnson has now confirmed that the UK will diverge from EU data protection rules using the GDPR as a baseline. This comes after the EU affirming that the UK should "fully respect EU data protection rules" post-Brexit. Article updated February 2020
The UK has now left the EU and businesses are preparing for all outcomes including a no-deal exit after the end of the transition period (1 January 2021).
One issue that has gone under the radar for many businesses is the impact of Brexit on their data protection.
Regardless of the Brexit outcome, the rules of the GDPR will continue to apply. This is because the GDPR was transposed into UK law in the Data Protection Act 2018, and the government is committed to ensuring that all EU laws which currently apply to the UK will be put into UK law by exit day. Businesses should, therefore, ensure that they continue to meet the standards set by the GDPR after the end of the transition period no matter what.
The biggest issue that Brexit raises for data protection is how it will impact the transfer of data between the EEA and the UK.
- For data flowing from the UK to the EEA following a no-deal exit, there will be no substantive change in the law. The Government has already taken the decision to recognise EEA data protection law as adequate, and as such no restrictions will be placed on the transfer of data from the UK.
- For data flowing from the EEA to the UK following a no-deal exit, the situation is a little more complicated. This is because the EU has said that it is not in a position to make a formal decision on the adequacy of UK data protection law until the UK has third country status. Third country status means that there must be a lawful basis for transferring data from the EEA to the third country, which is a higher burden for businesses to meet. Because UK data protection law is the same as the GDPR, it is extremely likely that the EU will determine that the UK’s data protection laws are adequate. The issue is that this decision will not be immediate, and in the time between leaving the EU and a decision being made UK businesses must ensure that they have a lawful basis for importing data from the EEA.
- If the UK were to leave with a deal, this would involve a transitionary period. During this transitionary period the UK would be outside of the EU, but there would be an agreement not to place restrictions on the flow of data. As such there would be no impact on data protection during this period, and the EU would have the time to formally make an adequacy decision as to whether the UK would have third-country status.
The flow of data is not the only way that Brexit will impact data protection. Should the UK end up outside of the EEA, then UK firms which process the data of EEA data subjects will be required to have an EU based representative. This is the local EU based company that can assist in providing information should there be a breach and a point of access is needed in the EU. You can find more information on eurorep.eu.
If you have any questions or queries regarding how Brexit will impact your firms GDPR compliance, wish to learn more about how Laven can assist you in ensuring that you can continue to import data from the EEA, or are interested in our EuroRep service, please email firstname.lastname@example.org.