If you’ve not yet planned or even considered the data protection impact of Brexit, and specifically data transfers with the European Union, you can breathe a temporary sigh of relief.
As we know the UK will leave the EU on 31st January 2020, and under the Withdrawal Agreement a transition period will now run until 31st December 2020. And to be clear the option of extending the transition period into 2021 has been removed from the Agreement.
During this transition period current EU rules will continue to apply to the UK, and negotiations will now begin on what exactly the future post-transition will look like. The requirement to comply with GDPR and the DPA 2018 remains unchanged.
It a statement published on 29th January, the ICO has confirmed:
- It will be ‘business as usual’ for data protection
- There is no need to appoint an EU Representative yet
- The ICO will remain as lead Supervisory Authority for organisations operating in the UK
What will happen during the transition period?
Over the next 11 months, the UK Government will be looking (amidst many other pressing matters) to negotiate a suitable data protection arrangement to try and ensure data flows between the UK and EU can remain unrestricted. The UK Government has confirmed it will be seeking what’s termed an ‘adequacy’ decision.
What is adequacy?
This is a status granted by the European Commission to a non-EEA country in which they confirm the level of personal data protection provided by that country is essentially of an equivalent level to that of EU Member States.
For countries granted adequacy, personal data can flow unrestricted to and from EU & members. However, the EC will only award the UK with adequacy status following a rigorous assessment, which takes time.
Although the UK Government has said it will implement ‘UK GDPR’ post-Brexit, there’s no guarantee this alone will lead the EC to grant adequacy, nor how long it would take. And despite the UK Government insisting it has some of the highest levels of data protection in the world there are concerns among EU member states about UK data standards.
What will happen after the transition period?
If (and it’s definitely an if) the UK is awarded ‘adequacy’, data flows from the EU to the UK will continue to flow freely come 2021. In the absence of an adequacy decision some believe it may still be possible for the UK to negotiate a Privacy-Shield type arrangement, similar to the EU-US Privacy Shield. This remains to be seen.
If there’s a failure to agree on any data protection arrangements, UK organisations which receive personal data from the EU (and EU organisations transferring data to the UK) will need to ensure they have additional appropriate safeguards in place. For example, Standard Contractual Clauses or Binding Corporate Rules. This poses the risk that UK companies could potentially lose business to other companies across the EU.
What else do you need to consider?
EU Representatives: UK organisations may fall under the requirement to appoint a suitable representative in the EU, if they offer goods and services to individuals in the EU (or monitor the behaviour of EU citizens), AND do not have any branches or establishments in any other EU or EEA state.
Documentation & Policies: Organisations are being advised to review their privacy information and documentation. It may be necessary to update these, for example any references to EU law would need to be amended to reflect ‘UK GDPR’ terms.
In the meantime, we’ll have to sit tight. Watch how the negotiations unfold and the appetite for the Commission to grant adequacy.
Philippa Donn
DPN Editor & Senior Associate at Opt-4
Updated 30 January 2020
Also see:
Brexit No Deal Data Protection Guide
Data Protection Support
Do you need help with the impact of Brexit or any other data protection related concerns? Get in touch with Opt-4. Our experienced Associates understand the challenges and are adept at giving pragmatic, commercially savvy advice. To discuss how we can help you Email: info@opt-4.co.uk or Tel: 020 3858 9614
Copyright DPN
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.
