Brexit and GDPR... How worse can it get?

4 December 2020

When thinking about Brexit, most people think about the effect on holidays; importers and exporters think about moving goods; tax people worry about taxes and customs duties; but perhaps the part we all forget to think about is the effect on data…

When the transition period ends on 31st December 2020, the UK will become what’s known as a ‘third country’ by the EU. This means UK businesses can’t assume they can continue to process the personal data of EU data subjects in the same way as now.

For personal data transfers from the EU to the UK

Post-Brexit, the UK will be deemed a ‘third country’ and so EU organisations will only be able to transfer personal data from the EU to the UK if there’s an adequacy decision or some other arrangement in place. The exact nature of arrangements that will be in place after Brexit will depend on whether there’s a deal or not and how long it takes for the EU to agree an adequacy decision. Any UK organization receiving personal data from an organization in the EEA can’t assume therefore, that such transfers can continue as they are now, before an adequacy decision’s been made or without putting in place alternative arrangements.

For personal data transfers from the UK to the EU

Brexit will have less impact, as the Data Protection Act 2018 (DPA 2018) will still be the applicable legislation. The GDPR, however, will be retained in UK law under the terms of the EU (Withdrawal) Act 2018. The UK government could of course decide in future that further protections are required for UK data subjects and restrict transfers from the UK but that seems unlikely, at least in the short term.

EU data subjects

The GDPR requires a controller or processor not established in the EEA, (so this will include any controller or processor only established in the UK post Brexit) to designate a representative within the EEA if they process the personal data of EU data subjects. This includes offering goods or services to individuals in the EEA and/or monitoring the behaviour of individuals located in the EEA. This doesn’t apply to public authorities or if the processing’s occasional or low risk.

The Information Commissioner’s Office (ICO) has put together further information on this area which is available here and in particular, has developed an interactive tool especially for SMEs – a good place to start thinking through the repercussions for your business.