Firm News and Blog

Welcome to our latest news and blogs page. Click to read the latest articles below or browse by category on the right.

Brexit and Data Protection - Deal or No Deal Implications


Background

The General Data Protection Regulation (GDPR) became applicable to all EU member states on 25th May 2018. The UK passed the Data Protection Act 2018 which also came into force from 25th May 2018 to incorporate this into its own domestic law.

 In respect of Brexit, parliament is due to vote in week commencing 14th January 2019 on the draft withdrawal agreement negotiated by the government with the EU. Brexit Day is 29th March 2019. What happens to UK data protection law if we crash out with no deal?

Withdrawal agreement agreed and entered into?

If the current draft withdrawal agreement is ratified and entered into, the indication is that a transitional period will commence from the date of entry by the UK into the withdrawal agreement, and shall end on 31st December 2020. 

During the transitional period, EU data protection law will continue to apply to the UK and it shall be deemed a “member state” for the purpose of GDPR. The position will then change on 1st January 2021, subject to any agreement or change in law which may occur during the transitional period.

No withdrawal agreement entered into?

If we do not enter into a withdrawal agreement prior to 29th March 2019 then as of 29th March 2019, the UK will no longer be deemed a “member state” for GDPR purposes but a “third country”. This will have a number of practical consequences, some of which are listed below.

 Consequences of Brexit

   1) Incoming data from the EU to the UK

There may be restrictions on incoming data flows from the EU to the UK, as it is now a “third party” and transfers to a third party from a member state can only take place in certain circumstances. The EU may decide to white list the UK as an approved recipient of data (this is called an “adequacy decision”) but it is unclear how long this will take or indeed if this is guaranteed. In the meantime we advise clients to consider using the EU’s model contract clauses to demonstrate “adequate safeguards” and allow inward flows of data.

   2) Dual Regulation

Those businesses which are established in the UK will be subject to the UK data protection regime. If they also have a separate establishment in the EU or “target” customers in the EU by offering goods or services to them or monitoring the behaviour of individuals in the EU, then they will also be subject to EU GDPR regime.

Likewise, businesses established in the EU but targeting or monitoring customers in the UK will be subject to both data protection regimes.

   3) Enforcement and Representatives

Potentially businesses which are subject to dual regulation could face two sets of investigation in the event of a breach and two sets of fines. The indication from the government in its no-deal guidance is that those organisations based outside of the UK but operating within it for data protection purposes will need to appoint a UK representative; those in the UK but operating within Europe will need an appropriate representative in Europe. 

What can you do now to prepare?

  1. Review your current arrangements – audit your contracts and sources of data, and what you are doing with it. Where are you data processors based? Are they in another European member state?
  2. Look at your current contracts. Do they need to be renegotiated to allow for amendment if the data protection law changes, and do you need to add in the EU standard contractual clauses if you receive data from a party in the EU?
  3. Make arrangements for the appointment of a further representative as may be required if you are operating both in the UK and EU (as explained above).
  4. Review your privacy policies and notices as they may need to be updated to refer to the change in regime (e.g. from EU GDPR to UK Data Protection Act).

For more information please contact Louise Adams or Guy Salter.

 

Added: 15 Jan 2019 10:04


Back To Blog

Who would you like to see?

Request