Data protection has been a key issue in determining the EU and UK's relationship. Businesses that had adapted to comply with the requirements of the General Data Protection Regulation (GDPR) in 2018 now need to assess their compliance with potentially both the EU and UK data protection regimes.
Further, whilst businesses have become used to the ease with which personal data can move between the EU and the UK, we await still a decision as to whether the EU is satisfied as to the adequacy of the UK's post-Brexit data protection regime. Immediate pressure on this issue was removed with a four month bridging mechanism (which may be extended by a further two months) agreed by the EU and UK, as part of the negotiations culminating in the Trade and Co-operation Agreement. During this period, the EU Commission is continuing its assessment of whether the UK's data protection regime is adequate, and data flows from the EEA to the UK can therefore continue unrestricted for the time being. The effect of the bridging mechanism is that, during this period, the UK will not be treated as a third country for the purposes of data transfers from the EEA, provided that it does not modify its data protection law (the 'UK GDPR') or exercise certain powers in relation to international transfers, unless by mutual agreement. If the EU objects to any changes or exercise of certain powers, and the UK goes ahead to make them, the bridging mechanism will come to an end.
In February 2021, the European Commission issued draft decisions conferring adequacy status on the UK's regime, but there is still some way to go before the decisions are given final approval. Whilst the UK has taken steps to ensure that GDPR continues to apply in the UK - in the form of 'UK GDPR' - there are concerns about the UK's approach to data surveillance and investigatory powers.
In case adequacy is not confirmed, and also to reflect the ongoing issues relating to data transfers to the US, businesses should continue to:
- Audit international data flows (from the EEA to the UK, and also from the UK to other jurisdictions such as the US): what personal data you have, where you hold it, and where you transfer it to and from
- Identify the appropriate mechanisms to put in place to maintain those data flows where necessary in the event there is no adequacy decision following the extended period provided for the European Commission to reach a decision on this. These could be Standard Contractual Clauses, Binding Corporate Rules and Certification Mechanisms, or specific derogations such as consent from the data subject, together with supplementary measures as appropriate.
The data protection compliance burden caused by Brexit goes beyond data transfers, as businesses must now adapt to being subject to potentially divergent regulatory regimes - the 'actual GDPR' in the EU, and 'UK GDPR' in the UK. Given the extra-territorial effect of both regimes, this is particularly acute for businesses operating across both the EU and the UK, and could necessitate allocation of additional resource to meet increased levels of compliance. It could potentially also result in duplicative regulatory action arising from single incidents.
Key compliance issues for a business include:
- Identifying whether an EEA data protection authority can be a 'lead supervisory authority', in order to take advantage of the GDPR 'one stop shop' regime for regulatory engagement.
- Appointing a representative in the EEA and/or the UK for the purposes of both the 'actual GDPR' and 'UK GDPR', where necessary, depending upon the location of its establishment/s.
- Reviewing and updating Privacy Notices, website terms and conditions, terms of business and data related agreements to ensure compliance with both regimes' transparency requirements.
For more information, read our detailed Guide on the Impact of Brexit on Data Protection. We have also put together a user-friendly UK GDPR resource.