The Brexit day is approaching fast, but there is no certainty as to whether or not the UK’s departure from the EU will be accompanied by a withdrawal agreement — or not. Data protection is just one of the many areas that will be affected by Brexit. And under a no-deal scenario, the impact of the UK leaving the EU becomes even more dramatic.
There are a number of questions clients are asking about the applicable data protection regime after Brexit day, and specific answers depend on firms’ size, the location of their branches and offices, the volume of international data transfers, and where their customers are located.
Keep reading if you want to know more about the three most common questions your peers are asking about Brexit.
- If the UK leaves the EU without an agreement, can companies in the UK stop worrying about GDPR? Technically, when the UK exits the EU, the EU’s General Data Protection Regulation (GDPR) will no longer be law in the UK. However — deal or no deal — the UK government has already made plans to adopt the “UK GDPR.” As the name suggests, this set of rules will be closely aligned to the exiting EU GDPR and it will accompany the existing UK’s Data Protection Act 2018. The combination of these two bills could potentially have stricter effects on the overall data protection regime than what firms in the UK experience today. In addition, firms based in the UK and that have customers in the EU or that monitor their behavior will need to keep in line with the EU’s GDPR, too. There are also areas where there might be no net-new rules, but UK firms will still need to make adjustments, which will result in additional measures for compliance. These are, for example, measures around international data transfers, accountability, new regulatory oversight requirements, the establishment of a EU representative, etc. In short, the GDPR will stop applying to the UK, but what we are looking at is a regulatory landscape that is just about to become considerably more complex for UK businesses.
- If the UK leaves the EU, the UK becomes a “third party” as far as data protection is concerned. What does this mean? Yes, the day when the UK leaves the EU, the UK becomes a third party for the purpose of data protection, and a set of restrictions will apply to international data transfer that involve the flow of personal data from and to the UK. This topic is, in fact, one of the most impacted by Brexit. Firms must consider a range of possible scenarios depending on the direction and modalities of their data flows. For example, transfer of personal data from the UK to EU countries will be largely unaffected. For data transfers from the UK to countries outside the EU, firms in the UK must look at rules contained both in the upcoming UK GDPR and the soon-to-be-adopted adequacy decisions. One of the most complicated issues, though, is about data transfer of personal data from the EU to the UK that is indirect — for example, those involving a third party such as a cloud provider. In general, on Brexit day, firms must stop these transfers unless certain safeguards or exemptions are in place. For example, the transfer might be based upon the safeguard of the European Commission’s standard contractual clauses or be subject to an exemption where that transfer is necessary to perform a contract. Binding corporate rules also represent an option. However, firms might also decide that storing or processing EU personal data in the UK is not a viable strategy, especially in the instance when an EU decision that recognizes the UK as “adequate” for the purpose of data protection is lacking. These firms might decide to invest in the creation of EU-based data centers or to work with providers that offer that as an option. They also might consider technical measures to secure those transfers: Anonymization of data before it is shipped to the UK might be a way of doing it.
- What should firms do today? The best thing to do today is to ensure that firms comply with existing data protection rules — namely, the GDPR and the UK’s Data Protection Act 2018. While the regulatory landscape will be undoubtedly more complex, it will remain largely consistent with the existing one. However, our data suggests that only half of UK organizations are compliant with GDPR. Hence, I would strongly advise firms to accelerate the execution of their compliance strategies. With Brexit in mind, firms must understand international data flows of personal data. Key transfers to identify will be from the EU to the UK. They should prioritize remediation of transfers that involve large volumes of data, transfers of special-category data or criminal convictions and offences data, and business-critical transfers. Investing in the appropriate measures to ensure that these transfers are lawful is essential. They should also look at existing privacy policies, data protection impact assessments, data subject rights, and measures to demonstrate accountability as areas that will require further adjustments.