Brexit: Impact on Personal Data Processing and Application of the GDPR
On 31 January 2020, the United Kingdom (UK) formally left the European Union (EU), and immediately thereafter, a transition period of eleven months commenced. During the year 2020, the GDPR will continue to have direct application in the United Kingdom, and the UK government will have to reach an agreement with the EU on their further involvement.
If the United Kingdom leaves the EU without reaching an agreement on substantial points, this will be recorded in history as a “No-deal Brexit”. In this article, we explain how No-deal Brexit can affect the application of the GDPR and processing of personal data.
Will the GDPR Continue to be Mandatory?
Yes, it will. The requirements of the GDPR are still to be complied with. According to the European Union (Withdrawal) Act 2018, any EU regulation (including the GDPR) in force immediately before the exit day forms part of domestic UK law on and after exit day. Therefore, there will be practically no significant changes for companies or natural persons (data subjects).
How Will Personal Data Be Transferred To/From the UK?
1. Transfer of personal data from the EU to the UK — As a general rule, free transfer of personal data outside the EU is only possible for countries with an adequate level of data protection. At the moment of complete exit from the EU, the United Kingdom will, most likely, not be included in this list, which means that a free transfer of personal data from the EU to the UK will no longer be legal. Starting from 2021, in order to transfer personal data from the EU to the UK, a controller or processor must use one of the “appropriate safeguards” prescribed by the GDPR. Such appropriate safeguards could be Standard Contractual Clauses (SCC), Binding Corporate Rules (BCRs), codes of conduct, or certification mechanisms.
2. Transfer of personal data from the UK to the EEA — Transmission of personal data from the UK to the EU member states, Liechtenstein, Norway, and Iceland will not be changed and can be carried out freely without the use of the appropriate safeguards or additional formalities.
3. Transfer of personal data from the UK to non-EU countries — The ICO confirmed that the rules with respect to the transfer of personal data to non-EU countries will remain the same. In the near future, the UK government intends to define a list of countries with “an adequate level of personal data protection” and will also approve the EU SCC and BCRs. Therefore, the transfer of personal data from the United Kingdom to non-EU countries on the basis of SCC and other appropriate safeguards will remain relevant and legal.
How to Proceed Further?
1. UK companies — To review the existing documentation and change references to the EU legislation which will no longer always directly applicable: establish a new mechanism for receiving personal data from the EU; consider the need to appoint a representative in the EU. You can learn more about EU representatives in our article.
2. Foreign companies — To take into account the requirements of the UK national legislation and follow the changes related to Brexit: change the leading supervisory authority, as the UK will no longer be a part of the EU; appoint a new representative in an EU member state.
3. Non-EU resident companies when working with UK companies — To take into account the requirements of the UK national legislation and monitor changes related to Brexit: if necessary, make changes to the existing documents signed with contractors from the UK or the EU.