The past three years of Brexit negotiations have largely proved William Goldman’s adage that “nobody knows anything”. No one can tell you what Brexit will entail and very little has been finalised.
Sure, there has been a flurry of recent activity involving extensions, a resignation and the rise to power of Boris Johnson, but the only thing that’s clearer now than it was six months ago is that a no-deal Brexit is looking like a genuine possibility.
Organisations that have been sitting back and putting their faith in negotiators to reach a deal should strongly consider preparing for hard Brexit.
Fortunately, at least when it comes to protecting personal data, the UK government does have a plan for what will happen if a deal isn’t reached by 31 October 2019.
“Data protection if there’s no Brexit deal” outlines what will happen if the UK leaves the EU without a formal agreement, reflecting the reality that the free flow of personal data between the UK and the EU is vital to maintaining the relationships that are essential to the economy and security.
The ‘No Deal’ framework
The European Union (Withdrawal) Act 2018 will incorporate the GDPR (General Data Protection Regulation) into UK law post Brexit. The government will then have the power to make appropriate amendments to ensure that it works effectively in a UK context.
The UK government’s website provides a full list of amendments to UK data protection law in the event of a no-deal Brexit.
- Data controllers and data subjects: The responsibilities of data controllers will remain the same, and data subjects will continue to benefit from the same high levels of data protection as they do now.
- Data transfers from the UK to EEA (European Economic Area) countries: The UK will “transitionally recognise” all EEA countries (and Gibraltar) as providing an adequate level of protection for personal data, allowing organisations to transfer data freely. The UK would keep all of these decisions under review.
- Data transfers from the EU to the UK: Each EU member state will have to provide their own rules for transferring data to the UK. Organisations in the UK that rely on data transfers from the EU should work with their EU counterparts to make sure alternative mechanisms for transfers (such as standard contractual clauses) are in place.
- Existing EU adequacy decisions: The UK government intends to preserve the effect of adequacy decisions made regarding a country or territory outside the EU. This means that transfers from UK organisations to adequate countries can continue uninterrupted. The EU Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the US (limited to the Privacy Shield framework).
- Recognising EU SCCs (Standard Contractual Clauses): Provisions will be made so that the use of SCCs that have previously been issued by the European Commission will continue to be an effective basis for international data transfers from the UK. Under the proposed regulations, the ICO (Information Commissioner’s Office) will have the power to issue new SCCs after the UK leaves the EU.
- BCRs (Binding Corporate Rules): Existing BCRs will continue to be recognised after Brexit, and the ICO will retain its ability to authorise them.
- Maintaining the GDPR’s extraterritorial scope: The GDPR applies to all organisations that process EU residents’ information, regardless of where they are based. The UK government will retain this scope regardless of whether a Brexit deal has been reached.
- UK representation for controllers: The UK government will replicate the GDPR’s requirements for controllers based outside the EEA to designate an EEA representative.
Finding an EEA representative
As this list shows, things won’t change too much in the event of a no-deal Brexit, but one big requirement is the need for an EEA-based representative.
Organisations looking to fill this role should consider our GDPR EU Representative service.
You’ll receive the expert support from our data privacy, legal and compliance team, who will:
- Register our EU address as your GDPR representative address;
- Act as the point of contact for communications received from EU-based data subjects in relation to data subject rights requests and other general GDPR-related enquiries;
- Act as point of contact for communications received from EU supervisory authorities; and
- Keep a record your processing activities and make them available to the data protection authorities upon request.
This service is provided via our sister company, GRCI Law, which specialises in data protection and privacy law.
Led by a management team of experienced DPOs (data protection officers), lawyers, barristers, and information and cyber security experts, GRCI Law provides support across a broad range of topics, including breach response, data privacy management and data subject access requests.
A version of this blog was originally published on 19 December 2018.