Following the decisive victory by the Conservative Party on the 12th of December 2019, it is now certain that Brexit will go ahead on the 31st of January 2020. Following this, parliament will need to negotiate throughout 2020 to determine what the future relationship between the UK and the EU will be. The way data flows between the UK and the EU will form part of this negotiation, and whilst the changes to the GDPR will be, on the surface, minimal, there will be significant implications that companies will need to consider.
With this in mind, I sat down with Mandy Webster, a data protection specialist with more than twenty years of experience, to discuss the effect of Brexit on the GDPR:
“From the very start, we knew we were Brexiting, and so the Data Protection Act 2018 makes it clear that the GDPR will continue to apply in the UK following Brexit. So, we’ve always known it is going with us. Until the Tory majority, however, we didn’t know when we were Brexiting, once they got the majority, it became a virtual certainty that it will happen at the end of January 2020.”
The awareness since the referendum that Brexit would ultimately happen, coupled with the importance of the financial services sector to the economy of the UK, has meant that a great deal of effort has been made to ensure that data protection legislation is prepared:
“The financial services market is vital, and the lifeblood of the financial services is personal data. For us to have a different standard of data protection to the rest of Europe is unthinkable, so, for a long time, the ICO’s position has been that the UK will mirror European legislation in this area as closely as possible.”
Technically, therefore, the change to GDPR following Brexit should be minor: we move from the GDPR to the UK GDPR. But this doesn’t mean that there won’t be issues.
What will be the GDPR situation during transition?
Since May 2018, the UK has been regulated by the GDPR. This will continue to apply for the duration of the transition period until December 31, 2020. On the 31st of January 2020 it is redesignated the “UK GDPR”
The UK GDPR is effectively the same as the EU GDPR, only revised to include areas of domestic law (such as national security and the intelligence services) not covered by the EU GDPR and changes to terminology to reflect the fact that the UK is no longer a part of the EU.
The Withdrawal Agreement negotiated with the EU means that for the transition period from January to December 2020, unrestricted data flow between the UK and the EU is protected.
What will the GDPR situation be after transition?
The good news is that the UK have already agreed that EU member states offer an appropriate level of security for personal data, so there will be no barriers between us and the EU in terms of the UK sending personal data to them.
The concern, as Mandy outlines, is with data flowing from the EU to the UK:
“We can’t speak for the other member states regarding data flow coming from the EU to the UK. There are rumours that this might become a bargaining chip during negotiations for a final trade deal after the transition period. The worry is that we might struggle to access any data that is held in the EU outside the UK, even if it is ours, because we might not be deemed a safe place for the data to be, even though we have the same GDPR.”
There is also the issue of the adequacy decision. This assessment, conducted by the European Commission, is required before the EU can confirm that the UK is a safe place for data processing. Recent reports, such as this one on the Business Telegraph website on the 26th of December 2019, suggest that this process might not be a swift one:
“Officials in Brussels have warned several times that assessing the UK’s data “adequacy” — whether UK regulations on data protection are as robust as those in the EU — will be a lengthy process and that the issue may fall down the list of priorities in the wider negotiations. Mr Wiewiorowski’s predecessor, Giovanni Buttarelli, also warned that reaching a deal “could take years”.
There are a number of steps the Commission must take before an adequacy decision is adopted including a draft assessment by the Commission, a draft decision, an opinion by the European Data Protection Board and, finally, a vote by the Member States in the Standing Committee. It’s a potentially lengthy process and the outcome is far from guaranteed.
What should UK companies be doing to prepare?
If you are a UK company or part of a group trading with companies in the EU, it is possible to put in alternative tools for data transfers such as Standard Contractual Clauses. These work in most situations aside from when you are using data processors in the EU, and whilst these are less comprehensive and less practical than adequacy decision, for most businesses they offer a convenient appropriate safeguard.
The bottom line is: if you are concerned or unsure of the effect of Brexit on the way your business deals with data flow both to and from the EU, get in touch with a data protection lawyer as soon as possible.