Following the UK’s departure from the EU, many organisations have been left wondering what impact Brexit will have on GDPR and what steps should be undertaken to comply with new laws and regulations.
When the GDPR came into effect on the 25 May 2018, it signalled the biggest shake-up of data privacy laws in 20 years. The legislation was designed to standardise data protection rules across the European Union and to recognise the rights of individuals with regard to the use of their personal data.
Organisations have spent a lot of time and effort over the last two years improving data protection processes and implementing new measures to comply with the landmark legislation.
This commitment to data protection has not been in vain as many of the measures undertaken will remain relevant and won’t change the way UK-based businesses process the data of subjects within this country.
However, now that the UK has formally left the EU, organisations will need to assess what changes need to be made to ensure compliance with the relevant data protection legislation.
To answer any questions that you might have, we’ve put together a brief guide outlining what the changes may mean for your business.
Brexit & GDPR – Everything you need to know
Will the GDPR still apply in the UK?
On the 1st January 2021, the EU GDPR ceased to apply in the UK as it’s an EU regulation. However, if your business operates inside the UK, you will still need to comply with UK data protection law. The UK government has incorporated the GDPR into UK law as the UK GDPR.
In practice, this means that very little has changed. There have been some amendments made to reflect the UK’s status outside of the EU, but essentially the core data protection principles, rights and obligations of the GDPR remain the same and have been enshrined in the UK GDPR.
Will the GDPR still apply if your business operates in the European Economic Area (EEA)?
Yes. If your business operates in Europe, offers goods or services to individuals in Europe, or you monitor the behaviour of individuals in Europe, then the EU GDPR will still apply. If your organisation has processing activities in both the EU and UK, you will need to comply with both the UK GDPR and the EU GDPR.
How does Brexit affect international data transfers?
As part of the new trade deal, the EU has agreed to delay transfer restrictions for a limited period of up to four months, which can be extended to six. This bridging mechanism will enable personal data to flow freely from the European Economic Area (EEA) to the UK until an adequacy decision is reached.
Since the UK has now left the EU it is classed as a ‘third country’ to Europe under the GDPR. Third countries are states that fall outside of the EU GDPR zone. Data transfers from the EU to third countries are subject to restrictions unless the European Commission grants a status called ‘adequacy’.
The European Commission awards adequacy to countries if they are deemed to have an adequate level of data protection. Other countries that have been awarded adequacy status by the EU include Argentina, New Zealand, Israel and Japan. If the UK is granted adequacy, the free flow of personal data will continue without any new restrictions.
Will the EU be adequate for data transfers from the UK?
Yes. The UK government has confirmed that it will transitionally recognise the EU as adequate to allow for data flows from the UK without any additional transfer mechanisms.
Will your business need a European representative?
If your business offers goods or services to individuals in the EEA or you monitor the behaviour of individuals in the EEA, then you may need to appoint an EU representative. Similarly, if your business is not based in the UK but you process the personal data of UK citizens, you may need to appoint a UK representative under the UK GDPR.
What will the ICO’s role be?
The ICO will remain the independent supervisory body governing the UK’s data protection legislation. However, it will no longer be an EU supervisory authority so if you process the data of EU citizens, you will need to have a nominated EU representative. The ICO has clearly stated that if you handle EU citizens’ data, you will still need to comply with the GDPR.
Who will you notify in the event of a data breach?
In the event of a data breach, a UK-based company would contact the ICO. Following Brexit, the ICO will only investigate data protection related incidents involving UK individuals. If the breach involves multiple nationalities, the ICO will launch an investigation and deal with the Supervisory Authorities in each of the affected territories. If EEC data subjects are involved, you will need to contact the relevant EU Supervisory Authorities directly.
Will other data protection regulations be affected?
The UK Data Protection Act 2018 (DPA 2018) will continue to apply, supplementing the UK GDPR.
The Privacy and Electronic Communications Regulations 2003 (PECR) provides rules for marketing, cookies and electronic communications. It is a UK specific regulation derived from an EU Law known as the eprivacy directive (there are ongoing plans to replace the eprivacy directive with the ePrivacy regulation). PECR will therefore remain in place and is not affected by the UK’s departure from the EU.
The Directive on Security of Network and Information Systems (NIS) also derives from EU law but is set out in UK laws. As such, the current rules will continue to apply. However, if you are a UK-based digital service provider offering services in the EU, you may need to appoint a representative in one of the EU member states in which you provide services.
The electronic Identification, Authentication and Trust Services regulation is also an EU law, but no longer applies in the UK. However, the UK government has said it will incorporate eIDAS rules into UK law so if you are a UK trust service provider, you will still need to comply with these rules. Additionally, if you provide services in the EU, you will also need to adhere to eIDAS rules in EU member states.
The Freedom of Information Act 2000 forms part of UK law and will continue to apply.
The Environmental Information Regulations are set out in UK law so will continue to apply unless repealed or amended.
What steps should businesses take post-Brexit?
Organisations will need to carry out a detailed data privacy review to assess if any changes need to be made. If your business is based in the UK and offers goods and services predominantly to UK customers, then you will need to do very little. However, if you provide goods and services to both the EU and the UK, then changes may need to be made. To ensure compliance with the relevant data protection legislation, your organisation should:
- Map data flows to ensure that your business can comply with both the UK GDPR and the EU GDPR.
- Update records of processing to meet EU GDPR and UK GDPR requirements.
- Assess whether there is an EU supervisory authority that will now qualify as a lead supervisory authority (LSA).
- Update security breach response plans to allow for possible notification to the ICO and EU LSA in the event of a breach.
- Consider whether your business needs to appoint a UK and/or EU representative.
- Update privacy notices to ensure they detail data flows and cover the relevant requirements of both legislations.
- Amend existing contracts and templates to include the appropriate referencing to both the UK GDPR and EU GDPR.
- Consider whether data protection impact assessments and legitimate interest assessments will need to be updated to comply with the UK GDPR.
- Ensure the appropriate safeguards are in place for cross-border data flows.
- Assess if you need to appoint a separate UK and EU Data Protection Officer.