Brexit – is your business data compliance ready?
With the latest ‘Brexit Deadline’ of 31 October 2019 now passed, the UK is playing a waiting game around when, and if, we will leave the European Union.
Add to the mix that the possibility of the UK leaving the EU with ‘no-deal’ is still real, then your business needs to be aware of and prepare for the actions you could need to take to remain compliant with data protection requirements.
1. Flow of personal data across borders
Brexit will impact on the flow of personal data between countries, particularly transfers of personal data from the EU to the UK.
Under Boris Johnson’s Brexit deal (published 21.10.19)
During the year-long implementation period ending on 31 December 2020, the current EU law will continue to apply in the UK subject to the terms of the Withdrawal Agreement. The UK is in the process of seeking an ‘adequacy decision’ from the European Commission to allow for the continued free flow of personal data from the EU to the UK as part of the future relationship.
An adequacy decision means that the European Commission has found that the country ensures an adequate level of protection for personal data and so transfers of personal data from the EU to that country can lawfully be made without any other measures needed. There is a ‘whitelist’ of countries outside the EU which have received an adequacy decision from the European Commission.
Any personal data transfers from the EU to UK businesses before the end of December 2020, or on the basis of the Withdrawal Agreement, so-called ‘legacy data’, can continue in accordance with EU GDPR. Once an adequacy decision for the UK has been granted, the UK’s own laws (UK GDPR) will apply, which effectively mirror EU GDPR.
The Political Declaration sets out that the European Commission will endeavour to adopt an adequacy decision for the UK by the end of the implementation period, but this is not guaranteed. If not achieved, businesses will need to take action and put in place other ‘appropriate safeguards’ to ensure transfers of personal data from the EU to the UK beyond the end of the 2020 remain lawful.
If your business transfers personal data from the UK to other countries, there is no immediate change. The UK has temporarily recognised all EU adequacy decisions and all EEA countries as having acceptable safeguards to protect personal data, but we don’t yet know whether this recognition will continue.
The possibility of a ‘no-deal’ Brexit
Leaving the EU without a deal will mean that the UK immediately becomes a third country for the purpose of GDPR. EU GDPR will no longer apply to UK businesses (with some exceptions).
If your business transfers personal data from the UK to other countries, if your business is already EU GDPR compliant, there won’t be any immediate change. Transfers of personal data from the UK to any EU member state or any country on the whitelist will remain lawful, in the short-term at least, without any other action needed.
However, until there is an adequacy decision from the European Commission for the UK, transfers of personal data from the EU to the UK will be unlawful under EU GDPR without other measures being put in place.
2. Privacy notices
In all scenarios it is vital that your business reviews and updates the terminology used in your privacy notices.
All mentions of Europe, the EU or EEA will need adjusting according to your business’s own circumstances and the notice will need to reflect the different regulatory position.
3. EU GDPR could still apply to your business
In all scenarios, if your business is active in the EU, there is the possibility of dual regulation.
Businesses who intentionally offer goods and/or services to individuals in the EU (whether paid for or not), or who monitor the behaviour of individuals in the EU, will still fall under the scope of EU GDPR in addition to UK GDPR.
These businesses will need to take various steps to ensure they comply with the requirements of both regimes.
If you would like to discuss how to ensure your business is data protection compliant, please email Carys Thompson at firstname.lastname@example.org or call Carys on 0114 252 1485.