For a vast number of UK businesses, the free flow of personal data from the EU to the UK plays a vital role in the success of their operations. From sales and marketing to human resources, dependence on the flow of data is multi-departmental in most cases. With the UK set to leave the EU by October 31st and the terms of our exit yet to be set in stone, uncertainty remains a burden to UK businesses. Fortunately, when it comes to data protection laws, there are certain steps you can take to plan ahead and prepare for all outcomes.
Data protection laws in a no-deal scenario
With the possibility of a no-deal scenario on the horizon, the UK Government has issued papers that detail how data protection laws will change if there’s no Brexit deal.
Back in March, the UK Government stressed that, in the event that we left the EU with no agreement surrounding data protection & data transfers, “there will be no immediate change in the UK’s own data protection standards. This is because the Data Protection Act 2018 would remain in place and the EU Withdrawal Act would incorporate the GDPR into UK law to sit alongside it”.
The problem with this is that the GDPR does not allow for the processing of EU citizens’ personal data outside of the European Economic Area (EEA) by ‘third countries’ without certain controls being in place. At present, the UK is able to freely receive data from other EU member states: our status as a member of the Union guarantees this. Should we leave the EU without a deal, there will be no transition period in place.
From the 31st of October, the UK will be seen as a ‘third country’. Possible restrictions on transfers of personal data could, in this scenario, be imposed on the UK and EU organisations will have a responsibility to ensure transfers to the UK are lawful.
In the immediate aftermath of a no-deal, allowing any data to be transferred to UK organisations would become complicated, since the EU will not have determined whether the UK “ensures an adequate level of protection” for data transfers. In other words, the UK must be able to demonstrate that is a safe place for data processing to ensure strict EU rules do not prevent the flow of personal data post-Brexit.
Will the UK be granted adequacy status?
According to the GDPR, third party countries who are awarded data protection ‘adequacy’ status are not bound by the strict rules as set out in Article 46 and Article 47 of the GDPR. Without a Brexit deal, the UK will not automatically be granted adequacy – rather, the European Commission would assess its adequacy through a process of rigorous testing to determine whether or not to award it this status. In the initial aftermath, new restrictions will, in theory, apply until we are awarded adequacy.
Despite the amount of time that has passed since the referendum in 2016, the European Commission have stated that they will not begin this process until the UK officially leaves and becomes a ‘third country’. Once it has begun, the process will be based on Article 45 of GDPR, which sets out what the Commission should take into account when considering whether to award adequacy.
How can businesses prepare for changes to GDPR after Brexit?
Any organisation who relies on the transfer of personal data from the EU will need to review contracts with EU partners to ensure compliance with Articles 46-49 of the GDPR. According to Government documents on data privacy post-Brexit, the most appropriate legal framework for data transfers from the EU would be Standard Contractual Clauses. These EC-approved data protection safeguards clearly set out the obligations of both parties to protect the privacy rights of the EU citizens whose data is being transferred. As the ICO states on their website:
“It is the EEA sender of the personal data which must comply with GDPR rules, but UK receivers may want to assist those senders in complying, to make sure data continues to flow if we leave the EU without a deal.”
As well as UK-only businesses, UK entities who form part of multi-national organisations will also need to ensure compliance in data transfers from the EU. For those who already have approved Binding Corporate Rules (BCRs), the impact of Brexit on data transfers will not be felt as hard since BCRs by design include all data protection principles and enforceable rights to ensure appropriate legal frameworks for data transfers.
How will data protection laws change if the UK leaves the EU with a Brexit deal?
As critical as it is to prepare for the possibility of a no deal, there is still a strong likelihood that we will leave the EU with a deal. In this case, the UK will enter into a transition period whereby the GDPR will continue to apply with no major changes.
This would ensure minimal disruption to businesses as the European Commission begins its adequacy assessment of the UK. Should they reach a favourable conclusion and award the UK with adequacy status, the data restrictions that come with status as a ‘third country’ would no longer apply, allowing the free flow of personal data from the EU to the UK with no new special measures.
While uncertainty as to the terms on which we will leave the EU continues, preparing for potential changes to data protection laws after Brexit is the most prudent approach – this means reviewing existing contracts to ensure compliance and anticipating possible changes to data processes in either outcome. As ever, seeking advice from a specialist data protection lawyer can make all the difference in preparing your business for change.