How will Brexit affect GDPR?
What happens after the UK leaves the European Union?
The General Data Protection Regulation (GDPR) became the core of the European Union’s digital privacy legislation, and as such the UK’s as well. The GDPR set lots of new rules made to protect the EU citizens’ personal data and made us all more accustomed to high data protection standards.
One question arises from the Brexit situation, will UK citizens end up as the aggrieved party?
Nowadays, almost everything we do daily revolves around data, and mostly we are not even aware of it. Banks, insurance and retail companies, governments, all use our personal data. It starts with name, address, credit card number, but then goes on to marital status, beliefs, and even our consumer behavior and preferences.
The point is, the personal data of UK citizens will need to be protected under some sort of data protection law (the funny thing is that the UK was one of the main forces in creating the Regulation).
GDPR in the UK after Brexit
Since the GDPR is the creation of the EU legislative, its main concern is to protect personal data of the EU citizens with an extraterritorial effect, which means that non-EU countries are also obligated to comply when processing personal data of the EU citizens.
As the UK has voted to leave the European Union and won’t be subject to EU regulations, will there be a need to comply with the GDPR? The answer is yes.
The UK organizations will still need to comply with the Regulation when processing personal information of the EU citizens (because …extraterritoriality), and because it will be absorbed into UK domestic law.
The current UK data protection act is called Data Protection Act 2018. The Data Protection Act 2018 will no longer rely on the EU GDPR but the UK-GDPR.
The UK-GDPR is essentially the same as the EU GDPR, made from the same law text, but modified to change the parts of the text that read EU and Union law with the UK and domestic law.
December 31, 2020, is marked as the end of the transition period. While in transition, the UK remains in both the EU customs union and single market.
The UK will get the special status of a “third country”, which demands countries to maintain robust data laws that provide equal protection to those in the EU, GDPR will no longer be applicable in the UK from 1 January 2021.
The GDPR will be brought into UK law as the ‘UK GDPR’, but there may be further developments about particular issues such as UK-EU transfers.
The GDPR will be retained in domestic law at the end of the transition period, but the UK will have the independence to keep the framework under review.
How will Brexit affect EU citizens’ data protection?
As the UK will be outside the European Union and beyond the limit of the European Court of Justice, the data regulation is about to fall on the ICO (Information Commissioner’s Office), except when the situation applies to EU citizens and residents.
Those companies in the UK that deal with European citizens will still need to stick to the GDPR, and will likely need to cooperate with EU data protection officials if a certain data incident occurs.
Will Brexit mean the GDPR doesn’t apply anymore?
In short, the personal data of EU citizens will still be protected, and the UK businesses will have to comply with the GDPR when processing personal data of EU citizens.
GDPR will not apply to UK citizens. However, if you operate inside the UK, you will need to comply with UK data protection law.
The UK intends to incorporate the GDPR into UK data protection law from the end of the transition period – so core data protection principles, rights, and GDPOR obligations will remain mostly the same.
What is a no-deal Brexit?
The no-deal Brexit implies the immediate exit of the UK from the European Union without agreement on the dissolution process. This means that the UK would leave EU institutions immediately and stop contributing to the EU budget.
Data Protection and No-deal Brexit
In the scenario of the UK leaving the EU without a deal, rules affecting small and mid-sized businesses (SMBs) related to data protection would stay the same.
If you are a UK business or an organization that is compliant with the GDPR and you do not have any contacts or customers in the EEA (EEA = EU plus Iceland, Liechtenstein, and Norway), you do not need to do much regarding compliance after Brexit.
If you have an office or other established presence, as well as customers in the EEA, there will be a need to comply with both UK and EU data protection regulations, and you might need to appoint a representative in the EEA.
How to act in Brexit situations?
1. When the UK organization has no contacts/customers in Europe
- The presumption is that organizations are already GDPR-compliant.
- GDPR will be replaced with GDPR-alike UK data protection law
- Mostly affects SMBs;
2. The UK organization that sends data to the EEA
- Data transfers to the EEA will not be restricted. However, from the end of the transition period, GDPR transfer rules will most likely apply to any data coming from the EEA into the UK.
- Consider what GDPR safeguards you can put in place to ensure that data can continue to flow into the UK.
3. The UK organization that receives data from the EEA
- The EU will undertake a data adequacy assessment of the UK to allow the ongoing free flow of personal data from the EU/EEA to the UK.
- When/If UK adopts adequacy decision there will be no changes to the way you send personal data to the EU/EEA
4. If the UK organization has European customers or a European presence
- You need to comply with both UK and GDPR
- If you have a presence in the EEA your EU activities will be covered by the GDPR
- In most cases, you will have to appoint a representative within the EEA and comply with the GDPR for the related activities.
5. The UK organization that sends or receives data to/from countries outside Europe
- Transfers from the United Kingdom to these appropriate countries may continue uninterrupted but the European Union must review them;
- The transfer of data from the countries outside the EEA but subject to an EU adequacy decision is still under consideration;
- Transferring data from the United Kingdom to countries outside the EEA that are not subject to an adequacy decision will require that companies continue to comply with the “restricted transfer” provisions. Arrangements like these in the future are going to be a matter for the UK Government.
Explore the Brexit topic
We encourage you to explore the topic of data protection and Brexit further with relevant links: