On 29 January, MPs will vote on Theresa May’s revised Brexit deal, in what may well be the final attempt to prevent the UK leaving the EU without a formal agreement.
As it stands, the prospect of a deal doesn’t look good. May’s ‘Plan B’ has been called a facsimile of the emphatically rejected Plan A, and although amendments continue to be tabled, most people are preparing for its defeat.
Among this uncertainty, organisations will be pleased to discover that there are clear answers regarding their relationships with EU partners and data processing activities, and that the wholesale changes they made to comply with the EU’s GDPR (General Data Protection Regulation) won’t be for nothing.
The GDPR after Brexit
The GDPR’s requirements have already been incorporated into UK law by the DPA (Data Protection Act) 2018, which also supplements the Regulation by filling in sections that are left to individual member states to interpret and implement.
As such, the GDPR will continue to apply in the UK whether or not a formal exit agreement is in place (or, indeed, if there’s a second referendum in which Brexit is voted against).
So, although a deal could lead to minor changes regarding UK organisations’ relationships with the EU, the Regulation will remain intact.
What about a no-deal Brexit?
Last year, the UK government published a full list of amendments to UK data protection law in the event of a no-deal Brexit. The notice:
- Preserves the GDPR in local law;
- Confirms that the UK will transitionally recognise all EEA countries (including EU member states) and Gibraltar as ‘adequate’ to allow data flows from the UK to Europe to continue;
- Preserves the effect of existing EU adequacy decisions, including the EU-US Privacy Shield, on a transitional basis;
- Preserves EU standard contractual clauses and binding corporate rules authorised before ‘exit day’;
- Maintains the extraterritorial scope of the UK data protection framework; and
- Requires non-UK controllers that are subject to the UK data protection framework to appoint a representative in the UK if they are processing UK data on a large scale.
Become a DPA expert
Learn everything you need to know about the DPA with our Data Protection Act 2018 Training Course.
This one-day course gives you an overview of the differences and similarities between the GDPR and DPA, helping you keep your organisation secure and navigate the UK’s data protection compliance requirements.