GDPR after Brexit – what happens now?

The General Data Protection Regulation (GDPR) countdown clock has barely stopped ticking yet UK companies doing business in the EU are having to brace themselves for another layer of complexity after Brexit.

Brexit is unlikely to reverse the work that has been done in the area of data protection in the UK – the Data Protection Act (DPA) on 23 May 2018, which contains equivalent regulations and protections to those set out in the GDPR (known as ‘Applied GDPR’). UK companies doing business in Europe, however, will nonetheless face new challenges from a GDPR compliance perspective.

For a start, a UK company may find itself subject to both the GDPR and the parallel Applied GDPR regime introduced under UK law. Consequently, a data breach might well fall within the competence of both the UK ICO, and one or more EU Regulators. In addition, EU companies are likely to face increased procedural challenges in terms of reporting data breaches.

Currently, UK companies can rely on the ICO to take the lead in any breach scenario, without the need to engage the other affected authorities directly.

Irrespective of whether a Brexit deal is reached, this ‘one stop shop’ approach will no longer apply and a company will need to report a data breach separately to each affected EU supervisory authority.

If a deal is reached, then it is anticipated the status quo will continue as far as EU data transfers are concerned until 2020. It is hoped that this transition period will allow enough time for the UK to obtain an ‘adequacy’ ruling from the European Commission, to enable data to continue to be freely transferred between the EU and the UK.

If Britain exits with no deal, subject to further guidance being issued in this area, it will no longer be lawful to transfer personal data from the EEA to the UK, without additional legal protections being put in place.

These additional legal protections for inter-group data transfers can take the form of standard contractual clauses known as ‘EU Model Clauses’ drafted by the European Commission and binding corporate rules (BCRs). Both of these options will require additional resources to implement and administer and will need to be reflected in the company’s online privacy policy.

Any contracts in place which currently prohibit the transfer of data outside of the EU will also need to be evaluated.

In the light of Brexit, UK-based firms doing business in Europe should therefore consider:

  • appointing an Article 27 EU Representative
  • documenting their EU-UK data transfers, as well as identifying a transfer strategy, e.g. adoption of Model Clauses
  • reviewing their existing business contracts, as some contracts may prohibit transfers of data outside of the EU; and
  • updating Privacy Notices, to ensure they are transparent in informing the data subject that their personal data will be passed out of the EU, and they reflect any change in the main establishment of the company, or the identity of the EU Representative.

We can guide you and give advice for your organisation on the points above.