Many businesses may feel they are still reeling from the work they had to undertake to get ready for General Data Protection Regulation (GDPR) in May 2018 but, leaving aside the day-to-day compliance, exit from the European Union (EU) could bring another crop of regulatory hoops to be jumped through.
Currently UK data protection is governed by the GDPR in accordance with EU policy. Compliance with GDPR enables the UK to partake in a free-flowing network of data between all EU member states. Countries without EU membership are treated as third countries in relation to the GDPR and are subject to various restrictions on data transfers from Europe.
Once the UK leaves the EU it will become one of these third countries and, whilst it can make its own laws about the export of UK generated data, it will have to comply with EU rules concerning data coming into the UK from the EU, or transiting from one EU state to another via the UK.
There remains considerable uncertainty about the long-term relationship between the UK and the EU after Brexit, not least in relation to data protection. However there is a significant difference between leaving under a no-deal scenario and leaving with a withdrawal agreement and a transition period. A withdrawal agreement will retain the status quo for the transition period at least. A no-deal will necessitate some prompt action by businesses.
So what is the position with transferring personal data into and out of the EU after a no-deal Brexit?
• Transfers of personal data from the UK to the EU: the UK Government has confirmed that the GDPR will be retained in domestic law after Brexit, together with the Data Protection Act 2018, and that it is committed to transitionally recognising European Economic Area (EEA) countries as having adequate data protection regimes. It will therefore be possible to transfer personal data from the UK to the EEA as now.
• Transfers of personal data from the UK to the USA: the UK Government has said it will recognise US companies which have signed up to the Privacy Shield Framework in the USA as having adequate data protection regimes, but those companies must update their privacy policies specifically to refer to personal data transfers from the UK. Therefore if you transfer personal data to any Privacy Shield organisation you should check that it has updated its privacy policy.
• Transfers of personal data from the UK under binding corporate rules: the UK Government has said it will recognise binding corporate rules approved before exit day and therefore data transfers from the UK under such binding corporate rules will be compliant.
• Transfers of personal data to the UK from the EEA: the UK will be a third country so no longer automatically regarded as having adequate data protection for personal data to be transferred from the EU to the UK. Without an adequacy decision in favour of the UK (which will not be in place immediately in the event of a no-deal Brexit) some other form of adequate safeguard must be put in place for EU organisations to transfer personal data to the UK. UK businesses will need to take their own advice as to the safeguards available to them but, for many, it will necessitate including the EU “standard contractual clauses” into their contracts with EU organisations.
Therefore, whilst data transfers from the UK to the EU are likely to be unaffected immediately after a no-deal Brexit, data transfers to the USA and data transfers from the EU could be seriously affected.
To ensure business continues smoothly after Brexit Day, UK businesses ought to take a proactive approach to GDPR compliance and consider the following:
• Whether the business exports personal data to the USA
o If so, ask for sight of the US recipient’s privacy policy so that you can check it covers
transfers of personal data from the UK.
• Whether the business receives data from any EEA countries
o If so, consider the safeguards available for the import of that data and, if necessary,
be ready to implement the EU standard contractual clauses into the commercial
agreement.
If you would like to discuss any aspect of this article, please get in touch with Mary Chant or your usual Thrings contact. Alternatively, please visit Thrings’ Business of Brexit pages.
