The EU and UK negotiators have agreed the technical details of a Brexit deal. Yet, with less than five months until the UK leaves the EU and considering the UK and each EU country needs to sign off on the deal, the likelihood of a No-Deal Brexit is still high. And this has raised questions around the General Data Protection Regulation (GDPR).
Leaving the EU won’t automatically free the UK from its laws thanks to the European Union (Withdrawal) Act 2018, but things will change. So, many of those responsible for data protection compliance in the UK are wondering: What is the impact of Brexit on data protection in the UK?
A No-Deal Brexit wouldn’t mean organisations in the UK stop needing robust data protection. The Data Protection Act 2018 and EU Withdrawal Act will mean the same standards will be in place, but the UK won’t have an arrangement for data transfers and sharing with the EU. Instead, the UK will become a so-called ‘third country’ and its businesses will need to implement more data protection controls to be able to exchange personal data lawfully with the EU.
Third countries wanting to share data with the EU must fulfil the data safeguard mechanisms under the GDPR or go through a robust process to prove the country’s data protection measures are ‘Adequate’ – in other words, aligned to the GDPR. The European Commission will only start the Adequacy process after Brexit and would consider the strength of the UK’s data protection laws and its Competent Data Protection Authority capabilities. In our experience, the process takes between two and four years to confirm Adequacy status.
With UK data protection laws unlikely to change post-Brexit, the wait for Adequacy is likely to be much shorter than usual. But the route to Adequacy would itself create a level of uncertainty.
While waiting for Adequacy status, it will be more difficult for businesses to share data between EU and European Economic Area (EEA) member states and the UK. This is likely to affect most UK businesses as over 75 per cent of international data sharing from the UK goes the EU.
The effects of waiting for Adequacy will impact data sharing beyond Europe too, as counties like Japan and Canada adopt data protection laws that include export controls in line with EU advice. This could stop them sharing data with countries without Adequacy status or protective measures.
Amid uncertainties over Brexit, the UK Government recently ratified Convention 108+, an agreement on robust data protection principles and rules signed by 25 other countries (19 from Europe and six from the rest of the world). This convention lets the signatory states share data, providing they implement its principles that are much aligned to GDPR. While this doesn’t remove the Brexit uncertainty, it would lessen the impact of a No-Deal scenario.
The UK Government has also published its No-Deal Brexit advice on Privacy and Data Protection. It encourages companies to rely on established safeguarding mechanisms, such as the Convention 108+, to share data internationally. But until the UK gets Adequacy status, businesses won’t necessarily be able to freely share personal data with all their EU counterparts. So, they should ensure contingency plans are in place.
The good news is, businesses that have already implemented a robust GDPR strategy should feel the impact less. But we’ve found, through our Data Privacy Maturity Assessment, that most businesses are yet to implement a comprehensive data protection programme or privacy strategy.
Whether your GDPR implementation is solid or not, there’s always more you can do to minimise the impact of a No-Deal Brexit on your data transfers, such as:
And, more importantly: