BREXIT - 12.02.2020

Brexit - data protection changes?

Data protection has been a hot topic for UK businesses for some time, especially since the introdution of the GDPR. But what are the potential implications of Brexit as far as data protection is concerned?

Current position

There will now be a transition period until 31 December 2020 during which most EU law will continue to apply to the UK, including the GDPR and related EU privacy laws. Until the end of the transition period, you should continue to follow existing GDPR guidance, and data flows between the EEA and the UK (and vice versa) can continue as they did before. The Information Commissioner’s Office (ICO) also continues to act as the lead supervisory authority for businesses operating in the UK.

Data protection law from 2021

The government has said that it’s committed to maintaining the high data protection standards established by the GDPR . The Data Protection Act 2018 (DPA) introduced the applied GDPR to extend GDPR standards to certain processing activities outside the scope of EU law. From 1 January 2021, the GDPR and the applied GDPR will merge to form the UK GDPR and amendments will be made to ensure that the UK legal framework for data protection continues to function correctly, e.g. relating to the territorial scope of the UKGDPR . The original GDPR will then be referred to in the UK as the EU GDPR .

Pro advice 1. From 2021 there will be both the UK GDPR and the EU GDPR , and you may need to make changes to privacy notices and other documentation as a result. If you operate in the UK and the EU you may be subject to both.

Pro advice 2. The data protection principles, rights and obligations will remain the same as they are now so if you’re already complying with the GDPR , you should be in a good position to comply with the post-Brexit data protection regime.

International data transfers from 2021

At the end of the transition period, as far as international data transfers are concerned, the UK will become a third country. The government has said that it doesn’t intend to impose additional restrictions on personal data transfers from the UK to the EEA, meaning that you’ll be able to continue to transfer employee data from the UK to your EEA branches or offices. However, the EU will place a restriction on data transfers from the EEA to the UK. The European Commission will now work towards granting the UK an adequacy decision before the end of the implementation period. This is the critical kitemark which allows data to be transferred from the EEA to the UK, by the UK being recognised by the EU as a country that offers adequate levels of data protection.

Pro advice 1. An adequacy decision isn’t guaranteed for the UK and may not be finalised before the end of the transition period. If you rely on cross-border data flows, you should begin exploring alternative transfer mechanisms for personal data to flow to the UK from 1 January 2021, such as standard contractual clauses (known as SCCs or model clauses).

Pro advice 2. At the end of the implementation period, if you offer goods and services to, or monitor the behaviour of, individuals in the EEA, you may need to appoint a European representative who has written authorisation to act on your behalf in respect of EU GDPR compliance. You may then also need to re-consider the location of your lead supervisory authority, as the ICO will no longer be part of the “one stop shop” mechanism and will in future only oversee the UK GDPR . The ICO has produced some useful information on data protection and Brexit (see Follow up ).

ICO guidance on data protection and Brexit

Personal data can continue to flow between the EEA and the UK during the transition period, but if you receive personal data from the EEA things may change from January 2021. If you process only UK individuals’ personal data within the UK and don’t offer goods/services in the EU, nothing should change.

© Indicator - FL Memo Ltd

Tel.: (01233) 653500 • Fax: (01233) 647100

subscriptions@indicator-flm.co.ukwww.indicator-flm.co.uk

Calgarth House, 39-41 Bank Street, Ashford, Kent TN23 1DQ

VAT GB 726 598 394 • Registered in England • Company Registration No. 3599719