Whether you sit in the pro-Brexit camp or in the Remain camp, Exit Day is here. We must now all accept that the UK will leave the EU at 11pm tonight and begin (or continue in some cases) putting in place plans to deal with the changes that will inevitably come our way. So what does this mean for data protection? This article explains what happens next for data protection and key issues organisations should now be considering.
What impact does ‘exit day’ have on UK data protection?
In short, exit day will have no immediate impact on data protection laws so don’t panic.
Although it has been a bumpy road along the way, the UK has now confirmed a deal setting out how we will leave the EU. The very recently passed Withdrawal Agreement Act 2020 forms the basis for the UK to leave the EU and triggers the “transition period”, i.e. from 1st Feb up and until 31 December 2020.
The purpose of the transition period is to provide some breathing space to allow further UK and EU negotiations to take place to determine what the future relationship looks like. For data protection purposes it will be “business as usual” during the transition period. The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA) will continue to apply as is therefore if your organisation is already complying with GDPR/DPA, no immediate actions are required.
One of the most debated issues has been what impact Brexit would have on international transfers of personal data. Well, since the UK has reached a deal with the EU, the status quo on international transfer rules will continue during the transition period.
OK so no need to panic immediately; what happens next?
At the end of the transitional period, by virtue of the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (“DP Brexit Regs”), the GDPR and the applied GDPR (as introduced by DPA) will merge to form the UK GDPR; the original GDPR will no longer apply in the UK. Although if your organisation operates in EU, offers goods and services to those in the EU or monitors the behaviour of those in the EU, you may still need to comply with the EU GDPR in that respect.
On a practical level, the UK’s approach to data protection is expected to largely align with EU’s approach under the EU GDPR. Therefore while there may be some changes to the UK’s current approach to data protection, a drastic change following the transition period is not expected, which should provide some comfort to organisations.
However there are some key issues that will need to be ironed out during the transition period, namely how international transfers will operate. While the Government has stated that after the transition period there will be no restrictions on transfers of personal data from the UK to EU countries, the position on transfers from the EU to UK is not so clear.
It is hoped that the UK will be granted an adequacy status during the transitional period, allowing the flow of data from EU to UK to continue without additional restrictions. If this is not achieved however, the UK will become a third country under EU GDPR and organisations that transfer personal data from the EU to UK will need to ensure additional measures are in place, which will involve a significant review of current data flow arrangements.
Other key issues of concern is appointing an EU representative if your organisation offers goods and services, or monitors, individuals in the EU. While not necessary during the transition period, relevant organisations should be thinking about having this in place following the transition period.
Recommended Action Points
Although there is nothing immediate that organisations need to do, the future remains unclear as to what data protection will look like after the transition period. It will be important to keep an eye on UK-EU discussions in this regard and any guidance being issued by the ICO. As discussed above, the key issue likely to cause the most disruption at the end of the transition period is ensuring that international transfers of personal data can continue and perhaps most relevantly, that any personal data you receive from the EU can continue seamlessly. To prepare for the possibility that an adequacy decision is not reached during the transition period, we recommend the following:
- Consider what your organisation does now in terms of transfers and the flow of personal data. In particular, identify where data is being transferred from an EU country into the UK.
- Prioritise transfers of large volume of data, transfers of special category data or criminal convictions and your operational-critical transfers. This will allow your organisation to plan a strategy and prioritise action to maintain data transfers in the event its looks like an adequacy decision will not be reached.
- Identify how your organisation can continue these transfers of data lawfully after exit in the absence of an adequacy decision. For example, for transfers from an EU country to the UK, the simplest way may be to enter into Standard
Contractual Clauses with the sender of the personal data.
Aside from transfers, we recommend that organisations build into their data protection projects over the next year a plan to review privacy notices and policies to ensure these are updated to reflect the changing legal landscape and any other consequential requirements.
Consideration should also be given to whether you require to appoint a representative in the EU following the transition period. It can take time to consider an appropriate representative and put this in place therefore we recommend thought is given to this at the earliest opportunity.
How can we help?
We have a specialist team with expertise in data protection matters who can assist you and your organisation with any issues raised in this article. Contact any member of our team for more information