If the UK leaves the EU without a deal, then the UK will become a third country for the purposes of EU data protection law.

While the UK Government has stated that UK data protection law will, at least in the short term, recognise all EEA states and Gibraltar as adequate, the European Commission has confirmed that the process for carrying out an adequacy assessment of UK law will not commence until after exit day.

This guidance note sets out the key issues arising out of that change in status and the changes that will be made to data protection law immediately before exit day.

Proposed changes to data protection law in the UK

As part of its preparations for Brexit, a series of amendments have been made to General Data Protection Regulation ("GDPR") in the UK (which will then become the "UK GDPR") and the Data Protection Act ("DPA") 2018. You can find these amendments here:

  • Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019
  • Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) (No. 2) Regulations 2019

The amendments are extensive, with the main statutory instrument running to over 60 pages, and add to an already complex framework whereby GDPR needs to be read in conjunction with the DPA 2018.

Some of these amendments are minor. Others are more material.

Key changes to UK law:

The concepts of "GDPR" and "Applied GDPR" in the DPA 2018 will cease to apply. Instead, UK GDPR will apply to all processing of personal data

  • Transfers of personal data outside the UK will be subject to the same controls as transfers outside the EEA under GDPR (but the UK will adopt all existing EU findings of adequacy and consider the EEA as adequate)
  • The Information Commissioner's Office ("ICO") will no longer be able to act as lead supervisory authority under the "one-stop shop" or in relation to approval of Binding Corporate Rules.
  • Controllers and processors established in the UK may need to appoint a representative in the EEA, depending on the nature of their processing activities
  • Controllers and processors established in the EEA may need to appoint a representative in the UK, depending on the nature of their processing activities
  • Decisions of the CJEU, guidance from the European Data Protection Board, and acts of the European Commission after exit day will not apply to UK GDPR
  • The powers of the European Commission under GDPR will vest in either the Secretary of State or the Information Commissioner's Office under UK GDPR
  • Organisations seeking to rely on Privacy Shield for transfers of personal data to the US will need to ensure that the US organisation expressly commits in its privacy notice to applying the Privacy Shield Principles to transfers from the UK

To assist organisations and others with understanding the changes, the Department for Digital, Culture, Media and Sport has published Keeling Schedules for both the DPA 2018 and GDPR. Keeling Schedules are documents that use tracked changes to show proposed amendments to legislation:

  • DPA 2018: https://brodi.es/DPA2018Keeling
  • GDPR: https://brodi.es/GDPRKeeling

National Archives will be publishing a conformed version of UK GDPR, incorporating the amendments, alongside other numerous other EU regulations that are being amended as part of the Brexit process. In the rest of this guide, we set out the key issues for controllers and processors both in the UK and the EEA.

Controllers in the UK

It is unlikely that any action is required if a controller processes personal data solely in the UK in relation to data subjects in the UK. No additional steps should need to be taken in the short term by UK controllers that use processors located in the EEA.

GDPR will continue to apply to any processing in relation to data subjects in the EEA that is subject to the extra territorial provisions of GDPR.

UK law will continue to recognise the EU Standard Contractual Clauses, findings of adequacy, and including Corporate Rules as at exit day.

Checklist:

  •  If you process personal data in relation to the offering of goods and services to data subjects in the EEA, or otherwise monitor their behaviour, have you appointed a representative in the EEA?
  •  If you are subject to both GDPR and UK GDPR, do you know which processing and personal data is subject to which regime?
  •  Have you updated your register or processing activities and policies such as your procedures for notifying personal data breaches and other matters requiring cooperation with supervisory authorities?
  •  If transferring personal data to the US on the basis of Privacy Shield, has the US recipient updated its privacy notice to state that it will apply the Privacy Shield Principles in relation to transfers of personal data from the UK?
  •  If receiving personal data from a controller in the EEA, have the parties entered into the EU's Standard Contractual Clauses for controller to controller transfers?
  •  If your organisation has currently nominated the ICO as its lead supervisory authority under the one-stop shop, have you appointed a new lead supervisory authority in relation to your EEA processing activities?
  •  Have you reviewed and updated references in your contracts and templates to restrict transfers outside the UK? Are any amendments required to references to EU law?

Processors in the UK

If you process personal data as a processor only for controllers located elsewhere in the UK in relation to data subjects in the UK, then no additional action is necessary.

GDPR will continue to apply to any processing carried out on behalf of controllers in the EU27/ EEA, or that is otherwise subject to the extra territorial provisions of GDPR.

UK law will continue to recognise the EU Standard Contractual Clauses, findings of adequacy, and Binding Corporate Rules as at exit day.

Checklist:

  •  If you process personal data in relation to the offering goods and services to data subjects in the EU27/EEA, or otherwise monitor their behaviour, have you appointed a representative in the EU?
  •  If you are subject to both GDPR and UK GDPR, do you know which processing and personal data is subject to which regime?
  •  Have you updated your register or processing activities and policies such as your procedures for notifying personal data breaches and other matters requiring cooperation with supervisory authorities?
  •  If transferring personal data to the US on the basis of Privacy Shield, has the US recipient updated its privacy notice to state that it will apply the Privacy Shield Principles in relation to transfers of personal data from the UK?
  •  If your organisation has currently nominated the ICO as its supervisory authority under the one-stop shop, have you appointed a new lead supervisory authority in relation to your EU27/ EEA processing activities?
  •  Have you reviewed and updated references in your contracts and templates to restrict transfers outside the UK? Are any amendments required to references to EU law?

Controllers in the EEA

UK GDPR applies the extra territorial provisions of GDPR to organisations outside the UK. Controllers in the EU27/EEA may be subject to both GDPR and UK GDPR.

For the purposes of GDPR, the UK will be a third country. Transfers of personal data to the UK will be subject to the provisions in Chapter V of GDPR.

Checklist:

  •  If you process personal data in relation to the offering of goods and services to data subjects in the UK, or otherwise monitor their behaviour, have you appointed a representative in the UK?
  •  Are you familiar with your obligations under UK GDPR?
  •  If you are subject to both GDPR and UK GDPR, do you know which processing and personal data is subject to which regime?
  •  Have you updated your register or processing activities and policies such as your procedures for notifying personal data breaches and other matters requiring cooperation with supervisory authorities?
  •  If you use a UK based processor, or otherwise share personal data with a controller established in the UK, have you entered into the relevant Standard Contractual Clauses?
  •  If your organisation has currently nominated the ICO as its supervisory authority under the one-stop shop, have you appointed a new lead supervisory authority in relation to your EU27/ EEA processing activities?