Brexit is in the headlines constantly, and there is endless media coverage on the “deal”, whether we will get a deal, “no deal” and the potential impacts of all of these things on the UK and economy at large. How Brexit will impact on data protection in particular, remains to be fully understood however we have compiled some top tips and key advice to be aware of in this limbo period:
- Regardless of what form any deal will take with the EU when we leave on 29 March 2019, the UK Government have expressed their intention to continue complying with the GDPR and Data Protection Act 2018 as they stand. The GDPR may require extra implementing legislation to ensure it continues to be part of the law across the UK, but we are safe to presume the substance of the Regulation is here to stay.
- At present, the UK is part of the EU and therefore businesses can transfer data freely among other EU countries. Under the Withdrawal Agreement, where the UK leaves the UK with a “deal”, the UK will continue to be treated in the same way until the end of the transition period in 2020 when a longer-term agreement can be put in place. In contrast, in the event of a “no deal”, the UK will be classed as a third country meaning data flowing into the UK from elsewhere in the EEA will require additional safeguards. Practically this may mean seeking consent from individuals, or entering into a standard form agreement authorised by the EU (such as Standard Contractual Clauses). It is hoped that in the longer-term the EU will grant an “adequacy decision” that the UK meets the GDPR standard meaning data will be able to flow freely between the UK and EEA countries without any extra measures. At present, adequacy decisions have been made in favour of Andorra, Argentina, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay. Although we still don’t know what deal may or may not be reached, you can help prepare now by identifying suppliers and other organisations you may deal with in other EU countries and assessing data flows and existing documentation.
- Regardless of whether the UK leaves the UK with a deal and any adequacy decision is made, businesses based in the UK and which offer goods and services to individuals in EEA countries will have to appoint an EEA Representative under Article 27 of the GDPR. The Representative’s role is to act on behalf of your organisation for the purposes of corresponding with supervisory authorities (e.g. the ICO) and data subjects themselves. If your organisation does fall into this category, we suggest that you seek further advice on what this means for you.