GDPR and Brexit: How will one affect the other?
What leaving the EU means for UK data laws and other regulations
The General Data Protection Regulation (GDPR) was introduced on 25 May 2018, designed to primarily standardise data protection rules across the European Union but also to improve data subject rights and make business data collection more transparent.
However, the UK has now exited the European Union and is, therefore, no longer subject to EU laws introduced after this withdrawal date. Yet, there's the small matter of historic legislation, which raises the question: is a post-Brexit UK still bound to GDPR?
The short answer is yes. The UK has long been committed to the creation of robust data protection laws and was, in fact, one of the principal architects of GDPR. As such, the UK government had long maintained that GDPR would be absorbed into UK domestic law, which was eventually done as part of the European (Withdrawal) Agreement.
This agreement means that GDPR and the UK's existing Data Protection Act 2018 work in tandem to rule on data cases.
Data Protection Act 2018 and GDPR
Many incorrectly assume that because the UK has left the EU that GDPR no longer applies to the UK. While this could technically be true if efforts were made to remove the UK completely from the EU framework, the reality is that every effort has been made to make sure data transfers between the EU and UK remain intact - which means signing up to GDPR.
Both the UK's Data Protection Act 2018 and the EU's GDPR were necessary for ensuring things essentially stayed the same once the UK left the EU. Once outside of the bloc, the UK was relegated to 'third country' status, a classification that means a country needs to prove it has robust enough data laws, equivalent to those found in the EU, if it wants to maintain access to EU data. Failure to meet this demand would result in the country being blacklisted, and all data transfers to that country banned under GDPR.
Conversely, any country that is deemed to have at least equivalent data protection laws to those in the EU will qualify for 'adequacy status', with an adequacy agreement signalling that data can flow between the EU and the country in question unhindered.
The Data Protection Act 2018 was designed to demonstrate this very commitment, while also implementing many of the standards set out in GDPR, as well as a few extra mechanisms unique to UK law.
The UK left the EU on 31 January 2020, and entered a transition period that lasted until 31 December 2020. Once the UK became a third country on 1 January 2021, it was able to apply for an adequacy agreement. On 19 February 2021, the EU issued a draft decision that recognised the UK's data protection laws as adequate, which is likely to be confirmed over the next few months.
GDPR and Brexit: Dealing with EU citizens
However, that's not quite the full picture, as businesses will need to keep in mind a number of quirks of law and potential headaches as a result of Brexit.
Given the UK is now outside of the EU, and therefore beyond the scope of the European Court of Justice, data regulation will largely fall on the Information Commissioner's Office, unless the case deals with EU residents.
Regardless of UK domestic law, those UK companies who have dealings with European residents still need to adhere to GDPR in full, and so many will have been forced to overhaul their practices irrespective of any agreements made after Brexit. Equally, UK companies may be required to liaise with an EU data protection authority in the event of a data incident, so it's best to keep up to date with enforcement across the bloc.
GDPR and Brexit: Dodging 'No Deal'
The good news is that the UK has already avoided the worst case scenario - a 'no deal Brexit'.
The UK government had said that in the event of a 'No Deal', it would have allowed data to flow from the UK to countries in the European Economic Area (EEA), however, the EU would have almost certainly banned data transfers to the UK as soon as it left the union.
The Information Commissioner's Office (ICO), the UK regulator responsible for data protection enforcement, warned at the time that those organisations which rely on EEA data transfers would need to move to alternative mechanisms in the event of a no deal Brexit.
Perhaps the only viable alternative at the time was standard contractual clauses (SCCs), a mechanism that still exists that provide a means for organisations to bake in GDPR-style data protections into contractual arrangements, acting as terms and conditions that require both parties to sign up to. These are particularly useful for sending data to countries in which data protection laws are not deemed adequate enough by the EU to protect European citizen data.
However, to complicate things further, the legitimacy of SCCs was called into question as part of a landmark case brought before the European Court of Justice. Ultimately, he ECJ ruled in December 2020 that these were indeed valid methods of transfer, provided that the companies using them take steps to ensure data is protected.
Which other data regulations have been affected?
The Privacy and Electronic Communications Regulations (PECR) rules, which cover marketing, cookies and electronic communications, are EU laws established within the UK legal framework, and so continue to apply despite the UK leaving the EU.
However, the EU will soon be updating PECR with its upcoming ePrivacy regulation, which is expected to come into force within the year, and will therefore not apply to the UK automatically. There is currently no indication that UK laws will be updated to align with this.
The Security of Networks & Information Systems (NIS) directive is also derived from the EU but is another that has already been set out in UK law. As such, the current rules continue to exit despite Brexit.
The electronic Identification, Authentication and Trust Services regulation is also an EU law that has since been transposed into UK law. Both the EU version and a UK version have been effectively blended together to form an ammended version known as the UK eIDAS Regulations.
Like the NIS directive, businesses will also need to adhere to eIDAS laws in EU Member States, which will be outside the enforcement of the UK.
The Freedom of Information Act 2000 is now UK law and continues to apply despite Brexit.
Environmental Information Regulations are set out in UK law and so continue to apply unless repealed.
In This Article
- 1What is GDPR?
- 2GDPR fines explained
- 3Who benefits from GDPR fines?
- 4What GDPR means for small businesses
- 5What Brexit means for GDPR - currently reading
- 6What GDPR means for financial services
- 7How to perform a data protection impact assessment
- 8What is a subject access request?
- 9What is the 'right to be forgotten'?
Choosing a collaboration platform
Eight questions every IT leader should askDownload now
Performance benchmark: PostgreSQL/ MongoDB
Helping developers choose a databaseDownload now
Customer service vs. customer experience
Three-step guide to modern customer experienceDownload now
Taking a proactive approach to cyber security
A complete guide to penetration testingDownload now