The Brexit deadline of 31 October is fast approaching, and businesses are preparing for all outcomes including a no-deal exit.
One issue that has gone under the radar for many businesses is the impact of Brexit on their data protection.
Regardless of the Brexit outcome, the rules of the GDPR will continue to apply. This is because the GDPR was transposed into UK law in the Data Protection Act 2018, and the government is committed to ensuring that all EU laws which currently apply to the UK will be put into UK law by exit day. Businesses should, therefore, ensure that they continue to meet the standards set by the GDPR after the end of October no matter what.
The biggest issue that Brexit raises for data protection is how it will impact the transfer of data between the EEA and the UK.
- For data flowing from the UK to the EEA following a no-deal exit, there will be no substantive change in the law. The Government has already taken the decision to recognise EEA data protection law as adequate, and as such no restrictions will be placed on the transfer of data from the UK.
- For data flowing from the EEA to the UK following a no-deal exit, the situation is a little more complicated. This is because the EU has said that it is not in a position to make a formal decision on the adequacy of UK data protection law until the UK has third country status. Third country status means that there must be a lawful basis for transferring data from the EEA to the third country, which is a higher burden for businesses to meet. Because UK data protection law is the same as the GDPR, it is extremely likely that the EU will determine that the UK’s data protection laws are adequate. The issue is that this decision will not be immediate, and in the time between leaving the EU and a decision being made UK businesses must ensure that they have a lawful basis for importing data from the EEA.
- If the UK were to leave with a deal at the end of October, this would involve a transitionary period. During this transitionary period the UK would be outside of the EU, but there would be an agreement not to place restrictions on the flow of data. As such there would be no impact on data protection during this period, and the EU would have the time to formally make an adequacy decision as to whether the UK would have third-country status.
- There is one final scenario, which is where the UK leaves the EU but remains in the EEA. This would mean the UK would have the same status as countries like Norway and Iceland. In this case, there would be no changes to data protection as the GDPR applies in the EEA as well as the EU, and as such data would be able to flow freely.
The flow of data is not the only way that Brexit will impact data protection. Should the UK end up outside of the EEA, then UK firms which process the data of EEA data subjects will be required to have an EU based representative. This is the local EU based company that can assist in providing information should there be a breach and a point of access is needed in the EU. You can find more information on eurorep.eu.