The past two years of Brexit negotiations have largely proved the late William Goldman’s adage that “nobody knows anything”. No one can tell you what Brexit will entail, very little has been finalised and there’s a real possibility that the UK will exit the EU without a formal agreement.
Amid all this uncertainty, you might be surprised to learn that that the UK government does have a plan for protecting personal data if the UK can’t negotiate a deal by 29 March 2019.
“Data protection if there’s no Brexit deal” outlines what will happen in that scenario, reflecting the reality that the free flow of personal data between the UK and the EU is vital to maintaining the relationships that are essential to the economy and security.
The ‘No Deal’ framework
The European Union (Withdrawal) Act 2018 will incorporate the GDPR (General Data Protection Regulation) into UK law post Brexit. The government will then have the power to make appropriate amendments to ensure that it works effectively in a UK context.
The UK government’s website provides a full list of amendments to UK data protection law in the event of a no-deal Brexit.
- Data controllers and data subjects: The responsibilities of data controllers will remain the same, and data subjects will continue to benefit from the same high levels of data protection as they do now.
- Data transfers from the UK to EEA (European Economic Area) countries: The UK will “transitionally recognise” all EEA countries (and Gibraltar) as providing an adequate level of protection for personal data, allowing organisations to transfer data freely. The UK would keep all of these decisions under review.
- Data transfers from the EU to the UK: Each EU member state will have to provide their own rules for transferring data to the UK. Organisations in the UK that rely on data transfers from the EU should work with their EU counterparts to make sure alternative mechanisms for transfers (such as standard contractual clauses) are in place.
- Existing EU adequacy decisions: The UK government intends to preserve the effect of adequacy decisions made regarding a country or territory outside the EU. This means that transfers from UK organisations to adequate countries can continue uninterrupted. The EU Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US (limited to the Privacy Shield framework).
- Recognising EU SCCs (Standard Contractual Clauses): Provisions will be made so that the use of SCCs that have previously been issued by the European Commission will continue to be an effective basis for international data transfers from the UK. Under the proposed regulations, the ICO (Information Commissioner’s Office) will have the power to issue new SCCs after the UK leaves the EU.
- BCRs (Binding Corporate Rules): Existing BCRs will continue to be recognised after Brexit, and the ICO will retain its ability to authorise them.
- Maintaining the GDPR’s extraterritorial scope: The GDPR applies to all organisations that process EU residents’ information, regardless of where they are based. The UK government will retain this scope regardless of whether a Brexit deal has been reached.
- UK representation for controllers: The UK government will replicate the GDPR’s requirements for controllers based outside the EEA to designate an EEA representative.
Finding an EEA representative
As this list shows, things won’t change too much in the event of a no-deal Brexit, but one big requirement is the need for an EEA-based representative.
Organisations looking to fill this role should consider our GDPR EU Representative service.
You’ll receive the expert advice of our data privacy, legal and compliance team, who will:
- Register our EU address as your GDPR representative address;
- Act as the point of contact for communications received from EU-based data subjects in relation to data subject rights requests and other general GDPR-related enquiries;
- Act as point of contact for communications received from EU supervisory authorities; and
- Record your processing activities and make them available to the data protection authorities upon request.
This service is provided via our sister company, GRCI Law, which specialises in data protection and privacy law.
Led by a management team of experienced DPOs (data protection officers), lawyers, barristers, and information and cyber security experts, GRCI Law provides support across a broad range of topics, including breach response,data privacy management and data subject access requests.