GDPR and Brexit: How will one affect the other?
What leaving the EU, particularly without a deal, means for UK data laws
The General Data Protection Regulation (GDPR) was introduced on 25 May 2018, designed to primarily standardise data protection rules across the European Union but also to improve data subject rights and make business data collection more transparent.
However, the UK has now voted to leave the European Union and will therefore no longer be subject to EU laws introduced after this withdrawal date. Yet, there's the small matter of current legislation, which raises the question: will the UK still be bound to GDPR post-Brexit?
The short answer is yes. The UK has long been committed to the creation of robust data protection laws and was, in fact, one of the principal architects of GDPR. As such, the UK has already agreed that GDPR will be absorbed into UK domestic law as part of the European (Withdrawal) Agreement. Once this happens, we will see both GDPR and the UK's existing Data Protection Act 2018 working in tandem to rule on data cases.
The creation of the DPA 2018 was a key part of this commitment. Once the UK leaves the EU, it will be given 'third country' status, a classification that demands countries maintain robust data laws that provide equivalent protections to those found in the EU. This safeguard, known as an adequacy agreement, is there to ensure data belonging to individuals within the EU is protected if transferred to a country outside its jurisdiction.
The UK government has made clear it will seek an adequacy agreement with the EU, however, the process for this can only start once the UK leaves the bloc.
The UK was due to become a 'third country' on 00.00am on 30 March 2019, however, the departure date was then postponed until 12 April, and then again until 31 October. Now, every indication suggests the UK will leave the European Union on 31 January 2020.
Dealing with EU citizens
However, that's not quite the full picture, as businesses will need to keep in mind a number of quirks of law and potential headaches as a result of a union exit.
Given the UK will be outside of the EU, and therefore beyond the scope of the European Court of Justice, data regulation will largely fall on the Information Commissioner's Office, unless the case deals with EU residents.
Regardless of UK domestic law, those UK companies who have dealings with European residents will need to adhere to GDPR, and so many will have been forced to overhaul their practices irrespective of Brexit. Equally, UK companies may be required to liaise with an EU data protection authority in the event of a data incident.
However, the biggest challenge of the Brexit process is the prospect of leaving without a deal. The UK government has said that in the event of a 'No Deal', it would permit data to flow from the UK to countries in the European Economic Area (EEA), however, it has no control over the flow of data from the EEA to the UK.
A negotiated agreement is now seen as the only way to ensure the UK is able to secure EU approval for the transfer of data towards the UK, although there's no guarantee a deal would include this provision.
The effect of No Deal
The Information Commissioner's Office (ICO), the UK regulator responsible for data protection enforcement, has issued advice to those organisations which rely on EEA data transfers, explaining that alternative transfer mechanisms may be required in the event of a no deal Brexit. The European Data Protection Board, which replaced the Article 29 Working Party as part of GDPR and compromises representatives from each Member State's data regulator, has published similar advice to European organisations.
One such alternative is the use of standard contractual clauses (SCCs). These provide a means organisations to bake in GDPR-style data protections into contractual arrangements, acting as terms and conditions that require both parties to sign up to. These are particularly useful for sending data to countries in which data protection laws are not deemed adequate enough by the EU to protect European citizen data.
In the context of Brexit, this means that the UK could use SCCs in the event that a data transfer arrangement is not formalised as part of a negotiated exit. If a negotiated exit does not include a provision for data transfers, or if a no-deal scenario is realised, the UK will need to wait for an indeterminate period of time before an adequacy agreement is reached, creating an even greater need for mechanisms such as SCCs.
The legitimacy of SCCs was called into question as part of a landmark case brought before the European Court of Justice, however, the ECJ ruled in December that these were indeed valid methods of transfer provided that the companies using them take steps to ensure data is protected.
Provisions are also in place for those countries within the EEA that are sending data to a country outside of this bloc, which would include the UK. GDPR typically restricts the flow of data outside of the EEA unless the data protection rights of the individual are protected in a way that is recognised by the EU (such as the UK's Data Protection Act 2018).
There are a host of restrictions that govern international transfers - we, therefore, recommend you follow the in-depth advice published by the ICO, which explains the various instruments and restrictions that govern these.
Prior to the enforcement of GDPR, the focus was on ensuring business processes were compliant with new laws, which in some cases involved the appointment of a DPO. However, the focus has now shifted to ensuring compliant businesses are able to maintain data transfer across Europe post-Brexit. In order to continue trading with as little disruption as possible, organisations are now encouraged to plan for a No Deal outcome.
Which other data regulations will be affected?
The Privacy and Electronic Communications Regulations (PECR) rules, which cover marketing, cookies and electronic communications, are EU laws established within the UK legal framework, and so will continue to apply once the UK leaves the EU.
However, the EU will soon be updating PECR with its upcoming ePrivacy regulation, which will come into force after the UK leaves and will therefore not apply. There is currently no indication that UK laws will be updated to align with this.
The Directive on security of network and information systems (NIS) are also derived from the EU but are set out in UK laws. As such, the current rules will continue to exit.
However, in the event of a No Deal Brexit, businesses will be required to adhere to local NIS laws in each Member State in which you provide services, which may require appointing a representative.
The electronic Identification, Authentication and Trust Services regulation is also an EU law, but one that isn't transposed into UK law. As such, the regulation will cease to apply to the UK without a specific provision provided by a negotiated deal.
However, the UK government has said it will implement eIDAS rules into UK law on exit, which should limit any disruption.
Like the NIS directive, businesses will also need to adhere to eIDAS laws in EU Member States, which will be outside the enforcement of the UK.
The Freedom of Information Act 2000 is now UK law and will continue to apply even in the event of a No Deal Brexit.
Environmental Information Regulations are set out in UK law and so will continue to apply unless repealed.
In This Article
- 1What is GDPR?
- 2GDPR fines explained
- 3Who benefits from GDPR fines?
- 4What GDPR means for small businesses
- 5What Brexit means for GDPR - currently reading
- 6What GDPR means for financial services
- 7How to perform a data protection impact assessment
- 8What is a subject access request?
- 9What is the 'right to be forgotten'?
Digital Risk Report 2020
A global view into the impact of digital transformation on risk and security managementDownload now
6 ways your business could suffer if you don’t backup Office 365
Office 365 makes it easy to lose valuable data regularly, unpredictably, unintentionally, and for goodDownload now
Get the best out of your workforce
7 steps to unleashing their true potential with robotic process automationDownload now
8 digital best practices for IT professionals
Don't leave anything to chance when going digitalDownload now