Brexit could have a serious impact on data protection for both UK and EU companies. Here's everything you need to know to prepare, including a downloadable whitepaper you can take with you.
The most important points, in a nutshell
- Brexit is impacting data protection compliance for businesses both across the UK and the EU
- The GDPR will remain applicable in the UK during the Brexit transition period until 31 December 2020, after which it will become a “third country”
- With an adequacy decision, the EU Commission could put the UK on an equal footing with EU countries in terms of data transfers
- This requires the UK to continue to adhere to EU standards on data protection and it remains unclear if the EU Commission will grant adequacy at the moment
- Regardless, companies need to take many measures to prepare for the end of the Brexit transition period as soon as possible
- Answers to the questions surrounding the data protection implications of Brexit can be provided by your data protection officer (DPO), external consultants and the British authorities
In this post
- What happens after the Brexit transition period?
- What does it mean if the UK becomes a third country?
- How can businesses prepare for the end of the Brexit transition period?
- Who can I contact if I have questions about data protection and Brexit?
- How will Brexit affect data protection compliance across the UK and the EU?
- Bonus Download: GDPR after Brexit Whitepaper
The Brexit transition period is coming to an end and it is foreseeable that the impact of this could be severe. Companies should focus on the topics of GDPR and data protection in order to continue to ensure compliance with applicable data protection law.
In this article, you will learn more about the current situation in the wake of the United Kingdom’s withdrawal from the European Union. We will discuss the issues that are most relevant to both EU & UK businesses post-Brexit, with a focus on becoming and remaining privacy compliant under the data protection rules and regulations when doing business with the European Union.
What happens after the Brexit transition period?
During the Brexit transition period, the General Data Protection Regulation (GDPR) will remain applicable in the UK without change.
After the end of the Brexit transition period on 31 December 2020, the UK will become a so-called “third country” and the GDPR will apply as it would in any other third country, ceasing to apply to UK entities that fall outside the extraterritorial scope of application. This means that data transfers to a company in the UK from the EU, regardless of whether it is, for example, a separate establishment or a service provider, require a specific legal basis. GDPR regulates international transfers of data under its Chapter 5 and includes the following transfer mechanisms:
- An adequacy decision is granted when a country is determined to have an adequate level of data protection by the EU Commission. Regulated under Article 45(3) of the GDPR, an adequacy decision is granted by the EU Commission to confirm that a third country has a level of data protection comparable to EU standards. Data transfers to such a country are privileged as they do not require any additional transfer mechanisms. Currently, adequacy decisions exist for the following third countries: Andorra, Argentina, Faroe Islands, Israel, Japan, Canada, New Zealand, Switzerland, Uruguay as well as the British Isles of Guernsey, Isle of Man and Jersey, which are not part of the United Kingdom as crown ownership.
- Binding Corporate Rules (BCRs) are an appropriate safeguard to carry out international data transfers and bind various entities of a worldwide corporate group while granting enforceable rights to the data subjects. They ensure the same high level of protection of personal data is complied with by all members of the organisation. BCRs must be approved by the supervisory authority, however, this has proven difficult in the past as few organisations have had BCRs successfully approved to this date.
- Standard Data Protection Clauses are standard contractual clauses (SCCs) adopted by the EU Commission or a supervisory authority and executed between a data exporter and a data importer. Recital 109 of the GDPR encourages controllers and processors to provide additional safeguards via contractual commitments that supplement these standard data protection clauses. SCCs are mechanisms by which organisations can commit to protect personal data when engaging in cross-border data transfers.
If one of the above mechanisms for transferring data is not possible, a cross border data transfer may take place following one of the conditions laid down under Article 49 of the GDPR “Derogations for Specific Situations”. These specific situations include for example, transfers under explicit consent or for the necessary performance of a contract. Furthermore, the conditions set under Article 49 of the GDPR should be met under exceptional situations and not become a repetitive course of action. With this in mind, the UK government has put amendments in place that seek to achieve an adequacy decision.
As part of the transition agreement, the UK government has already incorporated the GDPR into local law with what has come to be known as the “UK-GDPR” in order to secure an adequacy decision from the EU Commission. The “UK-GDPR” sits alongside the Data Protection Act 2018 and with the Privacy and Electronic Communications Regulations (PECR), will make up the local privacy landscape after the transition period.
However, uncertainty looms in the UK as certain political figures have shown signs of a possible shift away from EU privacy standard. Previous remarks from the UK prime minister and the recently published national data strategy hint at the possibility of more “relaxed” and potentially insecure approach to data. Though the UK at the moment seems to prioritise achieving an adequacy decision with the application of the UK-GDPR post-Brexit, we cannot exclude an alternative scenario.
In any case, and as mentioned above, the GDPR will continue to be relevant to many companies in the UK. According to Article 3 of the GDPR, the regulation also applies to organisations in third countries which:
- Process personal data in the context of the activities of an establishment in the EU
- Offer goods and services to data subjects in the EU or
- Monitor the behaviour of individuals within the EU (e.g., via online tracking).
What does it mean if the UK becomes a third country?
After Brexit was introduced, the European Commission and the UK government have been engaging in formal negotiations to reach an adequacy decision. Despite both sides meeting several times, there is still no agreement to date, and considering other situations like Japan´s adequacy decision, the time to reach this decision might extend beyond the transition period. If the UK becomes a third country at the end of the transitional period, it will affect the way in which companies have to organise their data flows. Therefore, organisations should first check their data flows in relation to EU – UK data transfers.
The extent of changes that will be required in companies will depend on whether or not the European Commission will consider the level of data protection in the UK to be adequate. Whether this adequacy decision will exist is still unclear.
It is likely that this decision will be substantially dependent on the compatibility of the GDPR with surveillance rules such as those enshrined in the Investigatory Powers Act. Doubts about compatibility have grown since the European Court of Justice overturned the EU-US Privacy Shield in a landmark ruling in mid-July 2020, in which it deemed US surveillance laws incompatible with EU data protection standards.
Until the EU Commission has made an adequacy decision – or if it does not reach one at all – companies will have to meet special requirements for their data protection compliance. These can be found in Chapter 5 of the GDPR. With this in mind, the UK government has confirmed that data transfers from the UK to the EEA and other countries with an adequacy decision will not be restricted. In addition, the relationship between regulators will change after Brexit, as the Information Commissioner’s Office (ICO) will no longer be an EU supervisory authority. Depending on how companies process their data, they may have to communicate with both the ICO and an EU supervisory authority for data protection in the future. The ICO recently issued two high profile fines on British Airways (20M GBP) and Marriot (18.4M GBP).
How can businesses prepare for the end of the Brexit transition period?
Companies should start preparing now in order to be able to operate in accordance with the rules after the Brexit transition period ends on 31 December 2020. Here is an overview of the possible measures and actions to take, which we will discuss in more detail below:
- Check the data flows in the company, especially regarding transfers to and from the EU and the UK
- Prepare by continuing to comply with GDPR privacy standards and verify with your DPO or privacy specialist how this impacts your organisation
- Check if you need to appoint a representative in the UK or the EU
- Consider that you may need to appoint a DPO in the UK and the EU
- Review all contracts with suppliers, service providers and other parties in relation to EU and UK data transfers
- Apply appropriate safeguards for international data transfers, such as BCRs and SCCs
- Track what recommendations regulators, such as the ICO, give in relation to changes in data protection. The ICO has released guidance on how British organisations should handle data protection and data flows once the Brexit transition period ends
It is possible that the UK will turn away from EU data protection standards in the future. Although this is unlikely at the moment, it should not be excluded as a possible scenario.
Regardless of which of the scenarios you are preparing for, keep in mind that implementing some measures can be time-consuming. Many organisations fear a rise in compliance costs and burdens as privacy requirements may increase for those required to comply with both the GDPR and the UK privacy framework by the end of the transition period. In order to prepare themselves concretely, companies in the UK and the EU should first review their data flows. This will allow them to determine directly whether Brexit affects them in terms of data protection at all and what they may need to change. Discover DataGuard's tailored solutions for corporates to streamline GDPR compliance post-Brexit.
Who can I contact if I have questions about data protection and Brexit?
The first point of contact for all questions about Brexit is certainly your company’s DPO, for whom Brexit is probably part of the day-to-day business at the moment. So, he or she is likely to be able to answer most of the questions.
It may also be advisable to contact an external consultant. Here, you should make sure that he or she has international expertise, experience and presence in order to be able to provide you with the best possible support on this cross-border topic.
Another good alternative is the British institutions. For example, the Information Commissioner’s Office (ICO) regularly issues guidance on topics including Brexit, data protection and the GDPR. Through Companies House the UK Government may also provide assistance to companies.
How will Brexit affect data protection compliance across the UK and the EU?
As we have seen, Brexit could have a serious impact on data protection for both UK and EU companies, especially when it comes to data flows and transfers. Many questions remain unanswered as the EU Commission has not yet issued an adequacy decision for the UK and it seems as if this will drag beyond close of the Brexit transition period at the end of the year. With this proving to be a continuously evolving landscape, we recommend that companies implement the safest necessary measures, so they are not caught by surprise at the turn of the year.
Sign up to our newsletter – Get practical tips and invitations to webinars and online Q&A sessions.