How Will Brexit Affect GDPR?
What implications does the UK leaving the European Union have for the GDPR? Will anything change? We answer your most frequently asked questions.
1. Should UK businesses still worry about GDPR post Brexit?
Negotiations regarding the future relationship between the UK and Europe are in progress in Brussels. Should you still worry about the GDPR? What impact will the transition have on UK businesses and where will firms stand in relation to the GDPR when the UK is no longer part of the EU?
2. What will happen between now and December 2020?
In practical terms, nothing much changes while the new relationship is negotiated with the EU. The GDPR still applies and you must continue to meet your GDPR obligations.
3. Will the GDPR still after the transition period?
Much depends on the outcome of the negotiations. However, since the GDPR is an EU regulation, it will no longer be law once the UK leaves the European Union.
That said, the UK government has signalled its intention to enshrine many of the existing GDPR provisions into UK law, to sit with the Data Protection Act 2018. The planned changes are available in the Keeling Schedule.
4. What will stay the same?
Essentially all the current data protection principles, obligations and individual rights will stay the same.
5. Will the ICO still exist?
Yes. The ICO will still be the data supervisory authority for the UK, but not for EU activities that fall under EU GDPR. However, the ICO plans to continue working closely with EU supervisory authorities when the UK leaves the EU.
6. What changes are expected in 2021?
As you'd expect, one of the biggest changes is likely to be the requirements on transfers of personal information between the UK and EEA.
The changes affect companies that continue to process the personal information of UK and EEA citizens, eg by providing goods and services or monitoring their behaviour, beyond the exit date.
The UK GDPR will apply to controllers and processors outside the UK who process the personal information of UK citizens, whereas the EU GDPR will cover EEA citizens' personal information.
What if you are UK-based but process EEA citizens' personal information?
The EU GDPR will continue to apply after the exit date. You will need to make preparations to ensure your data processing is lawful. There are four main issues to consider:
- International data flows - consider whether there is an adequacy decision, appropriate safeguards (Standard Contractual Clauses or binding corporate rules), or an exception you can rely on.
- EU representatives - if you intend processing EEA citizens' personal information after the exit date and you don't have a base or office within the EU or EEA, then you'll need to appoint an EU representative (eg a law firm, consultancy or company) where those individuals are based to represent you, and also provide their information to data subjects (eg via a privacy notice).
- EU regulatory oversight of cross-border processing - if you currently engage in cross-border processing and benefit from the One-Stop Shop arrangement with the ICO as your lead authority, be aware that you may no longer be able to rely on this after the exit date. You will have to deal with both the ICO and an EEA lead supervisory authority. Consult the EDPB guidance for more advice on identifying lead authorities. In the event of a data breach, you may also be fined by UK and EEA authorities.
- Documentation and accountability updates - review your privacy notices, DPIAs and related documentation to ensure it includes references to EU and UK law, it identifies your EU representative and covers future transfers. Make arrangements so your Data Protection Officer can be contacted by all.
7. What if there is no deal?
All the above provisions will apply. Consult the guidance on the ICO website to help you prepare.
8. How will Brexit affect the PECR, EIR and FOIA?
The Privacy and Electronic Communications Regulations (PECR) - covering unsolicited marketing calls, electronic communications and cookies - and the Environmental Information Regulations (EIR) are European laws that have been enshrined in UK law. As such they will continue to apply after we leave the European Union.
The Freedom of Information Act (FOIA) is part of UK law and remains unchanged.
Whatever happens with the forthcoming trade talks, the UK and EU GDPR will continue to apply, albeit, with some notable changes. However, in the event of no deal, the EU GDPR will no longer apply and therefore the transfer of personal data between the UK and EEA could be unlawful without additional preparations and appropriate safeguards in place.
In summary, whatever the outcome of those talks, UK businesses will still be expected to comply with the key principles, obligations and rights under the GDPR, and therefore, should start getting their business ready now to ensure a smooth transition and continued compliance after the exit date in 2021.
For the latest information and guidance, keep checking back to the ICO website.
Want to know more about GDPR?
We have created a glossary of GDPR definitions to help you navigate GDPR and DPA 2018 compliance. And we also have 50+ free compliance training aids as well as regularly publishing informative GDPR blogs including a regularly updated GDPR fines tracker for 2020.
If you're looking for comprehensive compliance training, why not visit our GDPR course library.
If you've any further questions or concerns about GDPR, just leave us a comment below this blog. We are happy to help!