With the UK planning on leaving the EU within months, questions have been raised over the impact of the GDPR in the UK when they are no longer part of the EU, and the implications for cross-border trade.
Will the GDPR still apply to the UK? Even in the case of a no-deal Brexit? Do UK-based organisations still need to worry about GDPR fines?
This post dives into the weeds of data protection under an impending Brexit to see what a deal or no-deal outcome would mean for data protection in the UK, and possibly your business.
Will the GDPR apply to the UK after Brexit?
Yes. The GDPR applies now, and it will still apply to the UK post-Brexit, regardless of a deal or no-deal Brexit.
Currently, the UK has adopted the UK Data Protection Act 2018 (DPA 2018) which incorporates the GDPR into UK national law (along with some caveats). Once Brexit happens, the GDPR will become UK national law as stipulated by the EU Withdrawal Act 2018 (EUWA).
This means that companies in the UK that process personal data will need to adhere to GDPR regardless of the outcome of Brexit.
What happens in the event of a No-Deal Brexit?
In the case of a no-deal Brexit, the UK would immediately be designated a “third country” by the EU.
Upon exit, the European Commission will begin a process of determining whether the UK provides “adequate” data protection.
If the UK gets an “adequacy” designation, organisations will be able to transfer personal data to and from the EU just like before Brexit.
Even though the UK stands a good chance to receive an adequacy determination, the process will take at least a few months.
Meanwhile, the UK Information Commissioner’s Office (ICO) has publicly commented that, in the case of a no-deal Brexit, it would allow the flow of data from the UK to the EEA, but they add that they have no control over the flow of data from the EEA to the UK.
What happens if there is a Brexit Deal?
A potential Brexit deal might include provisions for data protection and data transfers between the EU and UK. It also might include adequacy status for the UK in the details of the deal or lay out other specific guidelines for how to address EU to UK data transfers.
What if I want to transfer personal data from the EEA to the UK?
The UK ICO has provided some guidance for navigating this grey area. They caution that companies relying on EEA-to-UK data transfers ‘will need to carefully consider alternative transfer mechanisms to maintain data flows.’ There are a few specific ‘transfer mechanisms’ that the ICO has in mind here:
- Standard Contractual Clauses: The ICO also published a guide to using SCCs, but the gist is fairly simple. SCCs are basically a mechanism for UK businesses to ensure GDPR compliance, even with no Brexit deal. They are a series of terms and conditions that oblige both parties to adhere to GDPR-esque data protection rules.
- Binding Corporate Rules: Geared toward larger companies, BCR’s are particularly useful for corporations with multiple subsidiaries. It allows them to institute a single set of blanket rules for data transfers and the treatment of personal data for all the organizations under their jurisdiction (as well as the businesses with which they work).
If you need help crafting SCCs or BCRs, Sovy’s GDPR Privacy Essentials provides easy-to-use templates and guidance for how to use them in your business. You can also email us at firstname.lastname@example.org for enquiries.
- Q: What if I’m not sure if I have EU clients?
- A: If you’re not sure whether you have EU clients (and therefore need to comply with the GDPR), the GDPR would also look at whether you might target people in the EU. For instance, do you accept payment in euros? Do you have a web domain in an EU country as well as your .co.uk? If so, then the GDPR will probably say that you’re targeting people in the EU and need to comply with the GDPR, regardless of whether you know for sure that you have EU citizens’ personal data.
- Q: The headquarters of my company are in the EU, but my branch is in the UK. Do I still have to operate as a business in a “third country”?
- A: It depends. If you transfer EU residents’ personal data from your HQ to your UK branch, then you do need to regard that transfer as a “third country” transfer. But if you can make sure that personal data of people in the EU is processed only by people in your headquarters and on servers in the EU, then you don’t need to worry about third country transfers to the UK. However, it’s unlikely that you’ll be able to do this because of the expansive definition of “processing”, which includes accessing, disclosing, storing, or doing anything to (or with) the personal data. This kind of data siloing is not usually efficient or manageable for a business. We’d recommend covering data transfers within all your offices with a single set of Binding Corporate Rules (BCRs) so you don’t have to worry about slipping up and accidentally transferring data to a ‘third country’ (the UK) without proper contractual safeguards in place. Your business might already have specific BCR’s that indicate proper treatment of your customer’s data, but that is something for you to verify. Until the UK eventually achieves adequacy, you will operate under the guidelines that address third countries.
- Q: Do I have to abide by the DPA 2018 if I am an EEA business with UK clients?
- A: Yes, you will. It’s important to remember that simply complying with the GDPR at face value doesn’t necessarily mean you’ll comply with the DPA 2018. The GDPR allows the UK to deviate from the GDPR in certain areas. (Here’s a list of the differences between the UK DPA 2018 and the GDPR.)
- Q: How is the DPA different from GDPR?
- A: The DPA lowered the legal age at which someone can consent to data processing from 16, as the GDPR specified, to 13. The DPA also specifies the GDPR’s applicability to certain intentionally ambiguous areas like law enforcement, intelligence, and immigration. It makes changes to employment law, allowing businesses to process special categories of data (like race, sexual orientation, health data, and more) where it’s necessary for rights and obligations related to employment. A more detailed summary of the derogations made in the DPA can be found here.
- Q: What set of rules do I need to comply with right now (pre-Brexit) if I only have UK citizens as clients?
- A: You should comply with the guidelines set forth in the DPA 2018 (therefore also complying with GDPR).
- Q: I’m a US company, and I service UK citizen’s data. What regulations do I need to abide by?
- A: You need to follow the UK DPA 2018 as well as any relevant US regulations. In the US, your regulatory requirements follow a sectoral approach, so the regulations you’ll have to follow will depend on the type of business you have. Also bear in mind that following the UK DPA 2018 also means that you’ll need to meet GDPR requirements.
- Q: Since it is still a member of the EU, how was the UK able to pass the DPA?
- A: GDPR specified that constituent members of the EU are allowed to make certain additions and adaptations for data protection in their country.
Brexit, deal or no deal, is most likely going to affect your business if it transfers data to and from the UK and EEA.
If you’re worried about doing data mapping, setting up SCCs or BCRs, or generally figuring out what to do, Sovy is here to help.
The GDPR Essentials Package helps you make sure you’re on the right side of compliance. You’ll get access to the Sovy Hub, and from there you’ll be able to craft all policies required by the GDPR and DPA 2018.
You’ll also have access to a suite of regulatory guidance documents and elearning courses for more detailed education on tough-to-navigate areas of the law in a layman friendly way.