News & Insight
Just got your head around GDPR? What does Brexit mean for UK data protection legislation…
he UK is set to crash out of the EU in less than a month’s time (12 April 2019), unless Parliament accepts the Prime Minister’s deal or the Government revokes Article 50 altogether. The common theme in our recent publications has been commenting as the Government addresses legislative deficiencies that would be created by the UK’s departure from the EU without a deal in place (and frantically treads water in the process). The rules governing data protection are not spared by the Government’s review and have been amended by the Data Protection, Privacy and Electronic Communications (Amendments Etc) (EU Exit) Regulations 2019 (the “Regulations”).
In simple terms, personal data encapsulates the information used to identify an individual (e.g. their name, address, IP address, payroll details, etc.). Currently, the rules which govern the exchange of such personal data are contained in the EU General Data Protection Regulation (“GDPR”) which came into effect across the EU in May 2018.
This bulletin summarises the changes made by the Regulations to the current legal framework which applies to data protection. It will also set out a few practical steps business may take in order to ensure that they are complying with the Regulations no matter the outcome of Brexit.
How will Brexit alter the use of personal data?
The Department for Business, Energy and Industrial Strategy (“BEIS”) published, on 6 February 2019, a guidance note on how personal data should be processed post-Brexit (the “Guidance”).
The Guidance highlights that changes to the use of personal data will depend on whether the UK will exit the EU with or without a deal in place.
- If the UK leaves the EU with the Prime Minister’s deal, the GDPR would still apply to data processed in the UK which originates from data subjects from the EU. The EU will not treat data which originates from the UK any differently than it does now (under the GDPR). The status quo is preserved for a two-year transition period from the date of the UK’s exit from the EU. At the end of the transition period, the EU will need to determine whether the UK still provides an adequate level of protection as regards personal data (i.e. under the Regulations). According to the BEIS, the EU will endeavour to adopt adequacy decisions (which would allow the continued free flow of personal data from the EU to the UK (and vice versa) under the Regulations) prior to the end of the transition period.
- If the UK leaves the EU without a deal, UK businesses will not be able to benefit from the transition period set out in Theresa May’s Brexit deal. This is due to the fact that the European (Withdrawal) Act 2018 will repeal the European Communities Act 1972 which automatically incorporated the GDPR into UK domestic law. In order to avoid a legislative gap created by a no-deal Brexit, the Regulations say that the GDPR will remain as UK law upon the country’s exit from the EU. In this scenario, there are two types of data transfers to look at:
- UK to EU: the Guidance states that there would not be any immediate change to the UK’s data protection standards. The Regulations come into force on exit day as UK law and maintain the status quo set out by the GDPR.
- EU to UK: the process of transferring data from the EU to the UK will be altered (by requiring businesses to implement safeguards which cover such transfers) on and after exit day until the European Commission adopts an adequacy decision as regards the level of data protection available in the UK. This is due to the fact that the UK would become a ‘third country’ for the purposes of the GDPR.
What will actually change?
The Regulations seek to maintain the data protection standards which currently exist under the GDPR. The legislation merely introduces a newly merged regime for general processing activities. Nevertheless, certain practical points as regards data processing are going to be altered as a consequence of the Regulations coming into force on exit day.
The principal change to the current legal framework in the UK would be the Secretary of State’s new ability (which replaces the European Commission’s role) to make adequacy decisions as regards transferring personal data to ‘third countries’ outside the EEA.
What businesses need to do now (in case of a no-deal Brexit)
The Information Commissioner’s Office (“ICO”) has set out six steps UK business should take in order to prepare for a no-deal Brexit. The recommended steps are as follows:
- Continue to apply GDPR standards and follow the current ICO guidance.
- Identify where the business received data into the UK from the European Economic Area.
- Identify where the business transfers data from the UK to any country outside the UK, due to the fact that the business will fall under new UK transfer and documentation provisions.
- Review the business’ structure, processing operation and data flows to assess how the UK’s exit from the EU will affect the data protection regimes that apply.
- Review the business’ privacy information and internal documentation in order to identify any details that will need updating when the UK leaves the EU.
- Ensure that key people in the organisation are aware of the key issues set out above and keep up to date with latest information and guidance regarding Brexit.
With less than a month left until Brexit and no deal in sight (at the time of writing), businesses based in the UK should follow the Regulations and the guidance provided by the ICO as regards transfers of personal data between the EU and the UK.
Even if a Brexit deal is approved by Parliament, the EU will still need to make an adequacy decision with respect to the UK. This process could take up the full extent of the transitional period created by the Regulations in order to ensure businesses in the UK and the EU can still exchange data without breaching any rules.
If Brexit is causing you to think about whether your business is processing personal data in compliance with data protection laws or you simply want to discuss any of the issues raised by this bulletin, please do contact us at firstname.lastname@example.org; our team is available to advise.
This piece was researched and prepared by Amir Kursun, with input from Husna Grimes.