Business leaders are being warned there is “no room for complacency” over the impact of a ‘no deal’ Brexit on data protection.
Leading data protection lawyer Jon Belcher is warning that businesses need to prepare for such an eventuality, despite the passing of a law that aims to block the UK leaving the EU without a deal on 31 October.
Under the new legislation, if no new deal is reached by 19 October, Prime Minister Boris Johnson will have to request a Brexit extension until 31 January 2020. However, any extension will need to be agreed by the EU and so the new law does not guarantee a Brexit extension. A Halloween no-deal Brexit cannot be ruled out.
Mr Belcher, a data protection expert with law firm Blake Morgan, warns that businesses could inadvertently fall foul of data protection laws should we crash out of the EU without a deal.
He explains that most UK businesses are already familiar with the General Data Protection Regulation (GDPR), which is a European law that came into force in May 2018. In the event of a no-deal Brexit, the GDPR would cease to apply to most UK organisations and would be replaced with a very similar UK law, known as the ‘UK GDPR’.
The GDPR contains restrictions on transferring personal data to third countries outside of the European Economic Area, while there are no restrictions on data flows between countries within the EU. Companies found to be in breach of the GDPR can face fines of up to 4% of annual turnover, or €20 million, whichever is greater.
Mr Belcher warns this could pose a significant problem for organisations that transfer personal data internationally, for example by using cloud services, external hosting or outsourced data processing providers. He said: “Where this happens, personal data is transferred to and stored elsewhere, often in countries outside of the UK. In the event of a no-deal Brexit, the UK would automatically become a “third country” on leaving the EU. Data flows from the EU to the UK would, therefore, become subject to the tight restrictions contained in the GDPR.
“One way of overcoming this problem would be for the European Commission to declare that the UK has adequate data protection laws. The UK government hopes that the UK will be granted an “adequacy decision” in recognition of the fact that we have equivalent laws. Such a decision would enable data to flow unrestricted between the EU and the UK. According to the recently published Operation Yellowhammer report into the UK government’s no-deal preparations, in the event of a no-deal Brexit an adequacy decision “could take years”. This will be too late for businesses relying on uninterrupted flow of personal data between the EU and the UK.
“This means that all companies in the UK need to urgently consider their data flows. Where does their data come from? Where is it held? Where is it sent to or accessible from? If personal data is received from or sent to locations outside the UK, companies need to take action now.
“This includes checking current contracts and, where necessary, putting in place revised arrangements to ensure that there will be no disruption to those data flows.”
He continued: “A no-deal Brexit could have more profound effects for organisations operating in or selling into multiple jurisdictions in Europe. The GDPR applies to organisations outside of the EU which offer goods or services to – or monitor the behaviour of – individuals within the EU.
“This means some UK companies will need to continue complying with both the GDPR, as well as the new UK GDPR, after a no-deal Brexit. If your organisation is in this situation, you should seek specialist advice on the steps you should be taking now to prepare.”
For more information on how to ensure your business remains legally compliant following Brexit, see our guide.