The UK left the EU on 31st January 2020, raising questions about what Brexit means for GDPR enforcement.
In the short term, a new domestic UK-GDPR (United Kingdom General Data Protection Regulation) coupled with an amended version of the Data Protection Act 2018 will come into effect.
Nonetheless, these are technical measures that do not have a significant impact on the current GDPR regime.
In this article, we select and answer your most frequently asked questions about GDPR enforcement in the UK after Brexit. They include;
- When does the UK-GDPR come into effect?
- Does GDPR still apply to UK companies?
- How will Brexit affect UK companies’ GDPR compliance?
- How can UK companies prepare for GDPR after Brexit?
When does UK-GDPR Come into Effect?
The enforcement of UK-GDPR will begin after December 31, 2020. Essentially, this is when the Brexit transition period which began on January 31, 2020, comes to an end.
Does GDPR Still Apply after Brexit?
The current EU GDPR and the UK Data Protection Act 2018 and the obligations of UK companies to comply with them remain unchanged throughout the Brexit transition phase.
The British government has expressed plans to keep GDPR as part of domestic law. However, the recently passed Withdrawal Bill creates provisions for small changes to the regulation to ensure that it meets the needs of UK residents effectively.
The degree to which the GDPR will be adopted to domestic law is likely to comprise changes to specific terminology in the regulation to adapt it to the context of the UK.
For example, any references to EU Member State law in the GDPR will be changed to reference UK Domestic Law instead.
For now, UK companies should focus on remaining compliant with EU GDPR, since the Information Commissioner’s Office (ICO), the UK’s data protection oversight authority, issued a statement stating, ‘ it will be business as usual for data protection.’ Learn about the ICO Cookie Guidelines.
How Will Brexit Affect UK Companies’ GDPR Compliance?
To minimize disruption to UK companies that have an international presence after Brexit, the Withdrawal Bill enacted transitional provisions concerning adequacy decisions, standard contractual clauses, and binding corporate rules.
These provisions aim to ensure that established personal data flows from the UK can continue after Brexit.
UK to EEA; under the Withdrawal Bill, the UK will consider all EEA nations as well as Gibraltar as offering a sufficient level of safety to receive personal data during the transition period.
UK to Territories outside the EEA; The UK will also consider the EC’s list of 12 nations that are currently ratified as offering a sufficient degree of security to receive personal data.
Countries in this list based on full findings include; Israel, New Jersey, Isle of Man, Argentina, Andorra, Guernsey, New Zealand, Switzerland, Uruguay. On the other hand, those in the list based on partial findings include; Canada, Japan, and the United States
From EEA to the UK; in the GDPR regime, there are restrictions pertaining to the transfer of personal information from the EEA to jurisdictions that have not been the subject of an ‘adequacy decision’ for approval.
The agreement in place is that the EEA data flows from the EEA to the UK will not be affected during the transition period.
When the transition period comes to an end, the UK will be required to seek adequacy status from the EU. If this request is not granted, the UK will be regarded as a ‘third country’ under the GDPR and be subjected to stringent transfer rules.
How Can UK Companies Prepare for GDPR after Brexit?
Following the ‘no-deal’ Brexit, the European Union has made it clear that the UK will be considered a ‘third country’ once the transition period expires.
This point implies that the EU will not automatically view the UK ‘adequate’ to allow personal data flows from the Union into Britain under the GDPR.
Therefore, data controllers and processors need to consider the following measures to ensure compliance with the GDPR post-Brexit;
Updating Existing Documentation
In the current GDPR regime, your privacy policy must contain details of personal information transfers to countries outside the EEA or international bodies.
Based on how the data protection provisions in your agreements have been drafted, they may become ineffective once the UK fully leaves the EU. This will need to be updated in line with the expected UK GDPR provisions.
Determining the Personal Data you are Processing and where it is transferred
EEA to UK personal data transfers in the post-Brexit era will depend on whether there is an adequacy decision or not from the EU with respect to the UK. In the absence of an adequacy decision, companies will be expected to comply with GDPR requirements when sending personal data out of the EEA.
On the other hand, the UK government so far has expressed that no additional requirements will be needed to transfer personal data from the UK to the EEA.
Concerning the UK to non-EEA country transfers, the UK GDPR is expected to establish the same obligations such as those under the EU GDPR. Furthermore, the UK’s leadership has reiterated that it will use the European Commission’s list of ‘adequate’ countries in its adequacy decisions.
For intra-UK transfers, the UK GDPR will introduce similar obligations to the current GDPR regime that are consistent with UK domestic law.
Appointing a UK or EU Representative
Data controllers and processors that are not headquartered within the EU are required to appoint a representative in the Union, bar an applicable exception. The representative is usually liable to any enforcement actions that a regulator can level against the relevant controller or processor.
Since the UK will not be a member of the EU, British companies will be required to meet this GDPR obligation after Brexit.
Identifying your Lead Supervisory Authority
Currently, the GDPR has created a one-stop-shop situation whereby some organizations operating in more than a single member state of the EU can be held accountable by a single EU oversight body on behalf of others.
Nonetheless, after Brexit, the UK’s Information Commissioner’s Office will no longer act as a company’s lead supervisory authority within the EU.
Therefore, if the UK’s ICO is your current lead oversight body, a review is necessary to determine whether you can have a new lead supervisory authority and benefit from the one-stop-shop enforcement of the GDPR.
Secure Privacy’s GDPR legal consultants can help you prepare now to ensure your company is taking all the right measures to comply with the GDPR and avoid potential fines. Schedule a call with us today or sign up for a free trial of our GDPR compliance solution.
Additional Resources;
Get a detailed overview of what it takes to become GDPR-compliant with our comprehensive summary
Download your free GDPR e-book and have it delivered instantly in your inbox.
