How will Brexit affect GDPR?
What happens after the UK leaves the European Union?
The General Data Protection Regulation (GDPR) became the core of the European Union’s digital privacy legislation, and as such the UK’s as well. The GDPR set lots of new rules made to protect the EU citizens’ personal data and made us all more accustomed to high data protection standards.
One question arises from the Brexit situation, will UK citizens end up as the aggrieved party?
Nowadays, almost everything we do daily revolves around data, and mostly we are not even aware of it. Banks, insurance and retail companies, governments, they all use our personal data. It starts with name, address, credit card number, but then goes on to marital status, beliefs and even our consumer behavior and preferences.
The point is, personal data of the UK citizens will need to be protected under some sort of data protection law (the funny thing is that the UK was one of the main forces in creating the Regulation), and it will be.
GDPR in the UK after Brexit
Since the GDPR is the creation of the EU legislative, its main concern is to protect personal data of the EU citizens with an extraterritorial effect, which means that non-EU countries are also obligated to comply when processing personal data of EU citizens.
As the UK has voted to leave the European Union and won’t be subject to EU regulations, will there be a need to comply with the GDPR? The answer is yes.
The UK organizations will still need to comply with the Regulation when processing personal information of the EU citizens (because …extraterritoriality), and because it will be absorbed into UK domestic law.
The current UK’s data protection act is called Data Protection Act 2018. The Data Protection Act 2018 will no longer rely on the EU GDPR but the UK-GDPR.
The UK-GDPR is essentially the same as the EU GDPR, made from the same law text, but modified to change the parts of the text that read EU and Union law with the UK and domestic law.
December 31, 2029, is marked as the end of the transition period and the UK-GDPR and the Data Protection Act 2018 (DPA2018) are there to protect the UK citizens.
On the one hand, the UK-GDPR will define what personal data is and how it’s allowed to be processed, while on the other hand, the DPA2018 will supplement the domestic GDPR.
The UK will get special status of a “third country”, which demands countries to maintain robust data laws that provide equal protection to those in the EU.
For a longer period, it was uncertain when the Brexit would happen. The deadline is now set on 31 January 2020, which is three and a half years after the referendum.
How will Brexit affect EU citizens’ data protection?
As the UK will be outside the European Union and beyond the limit of the European Court of Justice, the data regulation is about to fall on the ICO (Information Commissioner’s Office), except when the situation applies to EU citizens and residents.
Those companies in the UK that deal with European citizens will still need to stick to the GDPR, and will likely need to cooperate with EU data protection officials if a certain data incident occurs.
Will Brexit mean the GDPR doesn’t apply anymore?
In short, the personal data of EU citizens will still be protected, and the UK businesses will have to comply with the GDPR when processing personal data of EU citizens. GDPR will not apply to UK citizens tho.
What is a no-deal Brexit?
The no-deal Brexit implies immediate exit of the UK from the European Union without agreement on the dissolution process. This means that the UK would leave EU institutions immediately and stop contributing to the EU budget.
Data Protection and No-deal Brexit
In the scenario of the UK leaving the EU without a deal, rules affecting small and mid-sized businesses (SMBs) related to data protection would stay the same.
If you are a UK business or an organization that is compliant with the GDPR and you do not have any contacts or customers in the EEA (EEA = EU plus Iceland, Liechtenstein, and Norway), you do not need to do much regarding compliance after Brexit.
If you have an office or other established presence, as well as customers in the EEA, there will be a need to comply with both UK and EU data protection regulations, and you might need to appoint a representative in the EEA.
How to act in Brexit situations?
1.When the UK organization has no contacts/customers in Europe
• Companies should already be GDPR-compliant;
• Mostly affects SMBs;
• EU GDPR incorporates into UK domestic law starting with exit day
2.The UK organization who sends data to the EEA
• Data transfers to the EEA will not be restricted;
• No need for additional steps here
3.The UK organization who receives data from the EEA
• Data controller that sends personal data to a UK organization will need to be GDPR compliant;
• Implement an uncomplicated data transfer agreement or contract with the EEA business and incorporate the EU approved standard contractual clauses before the exit day.
4.If the UK organization has European customers or European presence
• Check which regulator will be the leading supervisory authority;
• In most cases — appoint a representative within the EEA and comply with the GDPR for the related activities.
5. The UK organization who sends or receives data to/from countries outside Europe
• Transfers from the United Kingdom to these appropriate countries may continue uninterrupted but the European Union must review them;
• The transfer of data from the countries outside the EEA but subject to an EU adequacy decision is still under consideration;
• Transferring data from the United Kingdom to countries outside the EEA that are not subject to an adequacy decision will require that companies continue to comply with the “restricted transfer” provisions. Arrangements like these in the future are going to be a matter for the UK Government.
Summary of the GDPR in the UK in a post-Brexit era
When the UK leaves the European Union, this is what’s about to happen to the personal data processing in the UK:
➡️The new UK-GDPR takes effect;
➡️A modified Data Protection Act 2018 takes effect;
➡️The EU GDPR applies in the UK in the transition period, which is until December 31, 2020.