Brexit v data protection

The EU’s GDPR became law on 25 May 2018 (“EU GDPR”). In the UK, the DPA 2018 was introduced at the same time, with the intention of ensuring that UK and EU regimes were aligned post-Brexit as well as to supplement the GDPR requirements and standards, set out UK-specific exemptions and cover areas not dealt with by the GDPR (“DPA”).

Although the UK left the EU on 31 January 2020, during the transition period the UK continues to be treated for most purposes as if it were still an EU member state, and most EU law (including the EU GDPR) will continue to apply to the UK. The EU GDPR therefore continues to apply in the UK until the end of the transition period (31 December 2020), alongside the DPA.

Under the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 at the end of the transition period (assuming there is no deal on exit day), the EU GDPR will become part of the new body of retained EU law (to be known as the UK GDPR), and certain parts of the DPA will also be classified as retained EU law. The government has published a ‘Keeling Schedule’ for the UK GDPR, which shows the planned amendments.

Any changes to the EU GDPR from 1 January 2021 will need to be specifically incorporated into the UK GDPR.

What does this mean for your business?

This will depend on which of the following categories your business falls into, and assumes that your processes, procedures, systems, documentation etc already comply with the EU GDPR:

Category 1: You are a UK business only and have no contacts or customers based in the EEA (i.e., the EEA is the EU plus Iceland, Norway and Liechtenstein): You do not need to do much more to prepare for compliance with the UK GDPR. The EU GDPR will not apply to you.

Category 2: You are a UK business only but you receive personal data from contacts in the EEA: You will need to take extra steps to ensure that you can continue to receive and process that personal data at the end of the transition period. You will be subject to the UK GDPR, and quite possibly the EU GDPR. If you also have customers in the EEA or a presence in the EEA, category 3 will also apply.

Category 3: You are a UK business with an office, branch or other established presence in the EEA, or if you have customers based in the EEA: You will need to comply with both the UK GDPR and the EU GDPR at the end of the transition period. You may also need to designate a representative in the EEA. If you also have contacts in the EEA, category 2 will also apply.

Please remember that if either the UK GDPR and/or EU GDPR applies to your processing of personal data, it does not matter where in the world the individuals whose data you process are located – they will have the same data subject rights as those based in the UK and/or EEA.

If you are currently required to have a DPO, this requirement will continue following expiry of the transition period. Your DPO can cover the UK and EEA provided (as is currently required) your DPO is “easily accessible from each establishment” in the EEA and UK.

Category 1 : UK business with no contacts/customers based in the EEA

Although you will not be subject to the EU GDPR, you will be subject to the UK GDPR 2018 which is closely aligned with the EU GDPR. Because your internal and external documentation (e.g., privacy notices, data processing terms, fair processing notices, data protection policies, DPIAs, standard contracts and contracts already in place etc) are likely to refer to the EU GDPR you will need to make changes to those before the end of the transition period.  

Please note that the current rules for sharing data with countries outside the EEA remain similar so you do not need to take any extra steps at this stage save if you currently send personal data to the US using either EU-US Privacy Shield or SCCs.

Category 2 : UK business with contacts based in the EEA

Data processed or obtained before end of the transition period: The EU GDPR will continue to apply to any personal data that you obtained or processed in the UK about non-UK data subjects before the end of the transition period, until there is an adequacy decision for the UK (when it would then become subject to the UK GDPR). Personal data about UK data subjects processed in the UK before the end of the transition period falls under the UK GDPR from the end of the transition period. You will therefore have two regimes to comply with – the EU GDPR and the UK GDPR – until there is an adequacy decision. If your processes, procedures, systems etc already comply with the EU GDPR, you do not need to do anything further at this stage in relation to personal data relating to non-UK data subjects (but see Internal and external documentation below).

Transferring personal data to the EEA: The UK government has stated that transfers to the EEA will not be restricted. You can therefore continue to send personal data from the UK to the EEA without needing to take any additional steps.

Receiving personal data from the EEA: If a business in the EEA sends you personal data, it will need to comply with the EU GDPR. This means that they will need to take action to continue sending personal data to you because there may not be an adequacy decision on the UK by expiry of the transition period. For most businesses, “Standard Contractual Clauses” or “SCCs” will be the best way to do this. If you have not heard from a business in the EEA, you need to reach out to them now to put in place SCCs.

Transferring personal data to non-EEA countries: The current rules for sharing data with countries outside the EEA remain similar so you do not need to take any extra steps at this stage save if you currently send personal data to the US using either EU-US Privacy Shield or SCCs.

Internal and external documentation: This documentation (e.g., privacy notices, data processing terms, fair processing notices, data protection policies, DPIAs, standard contracts and contracts already in place etc) will have to be updated prior to the expiry of the transition period to correctly reflect the UK GDPR and EU GDPR. You should allow sufficient time for this to be done because it can be time consuming.

Category 3 : UK business with a presence, and/or customers based, in the EEA

Data processed or obtained before end of the transition period: As per category 2 above, the EU GDPR will continue to apply to any personal data that you obtained or processed in the UK about non-UK data subjects before the end of the transition period, until there is an adequacy decision for the UK (when it would then become subject to the UK GDPR). Personal data about UK data subjects processed in the UK before the end of the transition period falls under the UK GDPR from the end of the transition period. You will therefore have two regimes to comply with – the EU GDPR and the UK GDPR – until there is an adequacy decision. If your processes, procedures, systems etc already comply with the EU GDPR, you do not need to do anything further at this stage in relation to personal data relating to non-UK data subjects (but see Internal and external documentation below).

Transferring personal data to the EEA: As per category 2 above, the UK government has stated that transfers to the EEA will not be restricted. You can therefore continue to send personal data from the UK to the EEA without needing to take any additional steps.

Receiving personal data from the EEA: As per category 2 above, if a business in the EEA sends you personal data, it will need to comply with the EU GDPR. This means that they will need to take action to continue sending personal data to you because there may not be an adequacy decision on the UK by expiry of the transition period. For most businesses, “Standard Contractual Clauses” or “SCCs” will be the best way to do this. If you have not heard from a business in the EEA, you need to reach out to them now to put in place SCCs. If you receive personal data directly from the customer (i.e. a consumer), you do not need to put SCCs in place with that customer. Binding Corporate Rules, or BCRs, are the most appropriate transfer mechanism for multinational corporations to use when transferring data between their group companies but these can take (on average) around 15-18 months to be approved by your relevant data protection supervisory authority.

Transferring personal data to non-EEA countries: As per category 2 above, the current rules for sharing data with countries outside the EEA remain similar so you don’t need to take any extra steps at this stage save if you currently send personal data to the US using either EU-US Privacy Shield or SCCs.

Only based in the UK but you offer goods or services to individuals in the EEA, or monitor the behaviour of individuals in the EEA: You will also need to continue complying with the EU GDPR in relation to these. You may also need to appoint a suitable representative in the EEA who will act as your local representative with individuals and data protection authorities in the EEA. You will have to find a provider in the EEA who offers services as a GDPR representative. If you have a DPO, this cannot be the same person or one of your processors. 

Offices, branches or other subsidiaries in the EEA: Now, and at the end of the transition period, your European activities will be covered by EU law. You will need to check which of the 27 EU data protection supervisory authorities is your “lead supervisory authority” if you carry out cross border processing (i.e., your processing activities affect individuals in more than one EU or EEA state). For your UK business, the Information Commissioner’s Office will be your data protection supervisory authority.

Internal and external documentation: As per category 2 above, this documentation (e.g., privacy notices, data processing terms, fair processing notices, data protection policies, DPIAs, standard contracts and contracts already in place etc) will have to be updated prior to the expiry of the transition period to correctly reflect the UK GDPR and EU GDPR. You should allow sufficient time for this to be done because it can be time consuming.

How we can help

Please contact us if you:

  • have not already put in place the necessary processes, procedures, systems, documentation etc to comply with the UK GDPR and/or EU GDPR;
  • would like help with updating your internal and external documentation;
  • transfer personal data to the US using either EU-US Privacy Shield or SCCs; and/or
  • you have any other data protection needs.

Disclaimer: This article is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from taking any action as a result of the contents of this article.