GDPR post Brexit

What do we need to know about GDPR post Brexit?

Unless you have been hiding under a bush for the past few months, you will know that we have now left the EU and established a new trade deal with the European Union. Whilst the actual terms of how we trade with Europe may not be a business concern for your organisation, how we store and use data and the security of your IT systems will be.

What does Brexit mean for GDPR?

The Data Protection Act 2018 (DPA 2018) continues to apply. Part of the new trade deal with the EU included a delay in transfer restrictions for at least another 4-6 months and is known as ‘the bridge’. This will enable personal data to flow freely from the European Economic Area, or EEA, to the UK until either adequacy decisions are adopted, or the bridge ends. The ICO advises any companies that receive data from the EEA to put alternative safeguards in place prior to the end of April.

Will GDPR still apply?

EU GDPR is an EU regulation and will no longer apply to UK businesses. But, GDPR has been incorporated into UK data protection law since 2018 as the UK GDPR so theoretically, there is little change to core data protection principles, rights and obligations. But this doesn’t mean that EU GDPR will not affect your business, especially if you operate in Europe, offer goods or services to individuals in Europe, or monitor the behaviour of individuals in Europe. Any business that receives data from the EU will need to work with this partner to establish how to transfer data in accordance with UK GDPR. Organisations that work closely with European partners should consider appointing a European representative to act on your behalf, information of which should be made public through your privacy notice and on your website.

Will businesses need both a UK DPO and EU DPO?

The short answer here is no. Your Data Protection Officer can act for companies based both in the UK and EU so long as they can still carry out their work effectively and remain accessible to all employees, regulators and persons whose data you manage.

What are the prospects of a full adequacy finding?

As it stands, the UK has a strong case for adequacy. Post Brexit, the UK will incorporate the GDPR into domestic law meaning that our data protection laws are identical to the GDPR. However, there are still hurdles to overcome and Government advice is that businesses working with EU partners where data transfer takes place need to look at alternative transfer mechanisms (which could mean the use of Standard Contractual Clauses), in case there is no adequacy finding.

For the time being, it is business as usual when it comes to data protection and GDPR for most businesses. Digital marketers will not need any additional permissions to contact their databases and protocols that businesses have been following since 2018 in regards to data still need to be adhered to. The sticking point will be the adequacy decision. The process for the UK to obtain the adequacy decision from the European Commission began long before the trade deal was struck, and with the temporary bridge being only up to 6 months, it is hoped that clarity on this point will be given to UK businesses in the not so distant future.