As we are fast approaching Brexit, businesses will be wondering where this leaves them in terms of data protection compliance and the use of third-party personal data. Sehaj Lamba, a data protection specialist lawyer, explains what businesses need to know about the well-known General Data Protection Regulation (GDPR) post-Brexit.
What happens to GDPR at the end of the transition period?
As it currently stands, the UK is in a transition period up until 31 January 2021, during which time the GDPR rules continue to apply and businesses in the UK are bound to follow this. We await to see what the data protection regime holds following the end of the transition period, as there may be further developments, which will depend on what is agreed between the UK and EU by this time.
Do businesses still need to comply with GDPR once the UK has left the EU?
In short, yes. When the UK leaves the EU UK businesses will need to comply with UK data protection law, which is the Data Protection Act 2018. The UK government intends to incorporate the provisions of the GDPR into this domestic UK law from the end of the transition period, meaning we expect little change from the current GDPR rules which businesses are following now.
Essentially, this will be the “UK GDPR” and practically the data protection rules and procedures for processing personal data will not be different.
Additionally, however, UK businesses may also need to comply with the GDPR (i.e. the ‘EU GDPR’) if they offer goods or services to or monitor the behaviour of individuals (e.g. by profiling or tracking the activities of EU based website users on the internet) in the EEA or have branches or offices in the EEA.
What are the key changes to be aware of from a data protection compliance perspective following Brexit?
UK businesses will still be able to continue to transfer personal data from the UK to the EEA lawfully, so long as they have the correct documentation in place to cover those transfers.
If the UK leaves the EU without a deal, however, then the UK will become a ‘third country’ for data protection purposes, which means data transfers from the EEA into the UK will be restricted unless the transfer of personal data is covered by an adequacy decision (meaning the UK is deemed by Europe to be ‘adequate’ and safe for data protection purposes and personal information may be freely sent to it), appropriate safeguard or exception (i.e. personal data can no longer be sent to the UK freely once we leave the EU).
This means UK businesses who seek to receive personal data from organisations in the EEA will need to put a mechanism in place to allow personal data to be sent to them lawfully.
UK businesses may also need to consider whether they need to appoint a European representative based in the EEA and also whether they will have a ‘lead supervisory authority’ (one regulator in the EU to whom they can deal with in relation to data protection matters such as reporting personal data breaches). This will apply to UK businesses with an office, branch or established presence in the EEA, for example.
What steps can my business take to prepare for the data protection landscape following Brexit?
UK businesses should identify and document the personal data transfers they currently make and what safeguards are in place now and review how this might change after the transition period so that they can prepare for the changes in international transfer changes mentioned above.
They will need to take extra steps to ensure that personal data can continue to flow in the same way following the end of the transition period.
Businesses should also consider their GDPR compliance documentation and whether it needs to be updated or revised in order to deal with changes resulting from Brexit, including a review of data protection impact assessments, records of processing activities, privacy policies and agreements relating to the transfer of personal data.
Whilst these are some general steps businesses should consider, they should seek specialist data protection law advice in order to understand how Brexit will impact their business and what they will need to put in place to comply with their legal obligations in future.
