What effect will Brexit have on GDPR and your processing activities?

Data flows between the EU and the UK

The sharing of customers’, citizens’ and employees’ personal data between EU member states and the UK is vital for business supply chains to function and public authorities to deliver effective public services.

At the moment personal data flows between the UK and the EU are unrestricted because the UK is an EU member state. So what will happen if the UK leaves the EU?

Leaving with a deal?

If the proposed EU withdrawal agreement negotiated by Boris Johnson is approved, personal data will continue to flow under existing rules until the end of 2020 under transitional arrangements, while a longer-term solution is put in place.

Contact our Data Protection team now.

Simply, there will be no change for businesses during this transitional period.

The expectation then is that during this period the EU will confirm the UK as having “adequate” data protection laws, thus enabling data to continue to flow unrestricted on the expiry of the transitional period.

Leaving with no deal?

It will come as no surprise that a no deal scenario is more complex and difficult for businesses who are processing and transferring data between the UK and EU – particularly if your business is receiving personal data from the EU/EU citizens!

UK to EU data flows – the UK government has made it clear that it will not restrict data flowing from the UK to the EU. So if your business sends UK personal data to the EU for processing then this will be unrestricted.

EU to UK data flows – There is however significantly more risk for businesses which receive personal data from EU countries/data subjects. This is because the UK will on exit from the EU immediately be treated as outside the EU and will not have been confirmed by the EU (at least initially) as having adequate data protection laws…despite that fact that our laws will at that point be identical!

In practice, this will in most cases mean that controllers and processors will have to act quickly to review and amend their contracts:

• Controllers will need to implement EU approved standard contractual clauses with all their data processors, to ensure that EU data subjects’ rights are fully protected.
• Processors will need to ensure that their contracts are reviewed to ensure that they are able to continue to comply with their obligations.

Conclusions

Given that it seems very unlikely that the UK Parliament will allow a ‘no deal’ scenario, then our immediate advice is: don’t panic.

If there is a deal, including approval of Boris Johnson’s deal, then the status quo will remain during a transitional period, which will give businesses time to react to any future changes.

As contingency planning for a no deal scenario, it may be prudent to review:

• your processing activities (to assess what processing of EU data you are conducting);
• your existing contracts with third-party processors
• what changes would be needed to these contracts to implement the EU standard clauses if a no deal occurred.

If you have any questions about the points made in this piece, please contact Steve Thomas on 01242 246 489 or at [email protected]