Data Protection: How to plan for Brexit

30th January 2019

Following the defeat of the Government’s EU Withdrawal Agreement in the House of Commons on 15 January, the risk of a no-deal Brexit has increased and there remains considerable uncertainty about how data protection laws will apply after 29 March 2019.

Actually, there is very little certainty about anything Brexit!  At the time of writing, the UK will leave the EU on 29 March 2019 whether or not a deal is agreed.  In the meantime, we face the possibility of a general election, a second referendum, extending the Article 50 period, revoking Article 50, Norway option, Canada option … all of which is to say, no-one knows exactly what will happen!

So, with all of this uncertainty, what should you be doing now to prepare? 

What happens if there’s a “no-deal” Brexit?

In the absence of a deal (assuming the Article 50 process is not extended or revoked) the UK will leave the EU on 29 March 2019.

In terms of data protection, the European Union (Withdrawal) Act 2018 will retain the General Data Protection Regulation in UK law, and so the GDPR will continue to apply alongside the Data Protection Act 2018.  This means that organisations may continue to freely export personal data to EU states in line with the current rules (as amended for the purposes of Brexit).  However – it will not be as simple for businesses to export/transfer data from the EU to the UK. 

No-deal Brexit: Exporting data from the EU into the UK

Whilst the UK would still be subject to the GDPR, crucially; we would not be subject to EU law.  This means that as of 30 March 2019, the UK would become a “third country”.  This means that there will be no automatic ability for an EU based business to lawfully transfer personal data to the UK.  That is not to say that exporting data will be impossible, however, it will be subject to specific conditions set in EU law.

The GDPR is clear that there are only a limited number of ways in which personal data can be lawfully exported to a third country.  These include transfers to a country with an ‘adequacy decision’ from the European Commission, use of approved standard contractual clauses, or intracompany binding corporate rules.

One thing that is certain is that the UK will not have been deemed ‘adequate’ by the European Commission by 30 March 2019.  Such a decision is likely to take some time; therefore, transferring on the basis of an adequacy decision is, initially at least, off the table.

What you should be doing now

  • Undertake an audit of your data flows (both data you send and data you receive).
    • This will help you to identify any cross border flows from which you can establish which ones are critical to your operations.
  • Where possible, implement appropriate measures before 29 March 2019 to mitigate risks and ensure that you have appropriate safeguards for data transfers (such as the standard contractual clauses) in place.
    • If you are unsure whether your contracts include appropriate safeguards then please ask us for advice.
  • Consider whether your privacy notices will need to be updated
    • On 30 March 2019, the EU27 would also become “third countries”.  Therefore, your privacy notices should be transparent about transferring to such countries.
  • Contracts should be reviewed to ensure that they do not inadvertently prohibit transferring to the EU27 after 29 March 2019.
  • Consider whether you need to appoint an EU representative
    • Once the UK leaves the EU, if your organisation offers goods or services to data subjects in the EU, your organisation may need to appoint a representative in the EU.
  • Any cross border contracts currently being negotiated should address the risk of a no deal Brexit, particularly where the import of personal data into the UK from the EU is a material part of the commercial arrangement.