Data protection has been a key issue in determining the EU and UK's relationship. Businesses that had adapted to comply with the requirements of the General Data Protection Regulation (GDPR) in 2018 now need to assess their compliance with potentially both the EU and UK data protection regimes.
However, they will greet with relief the decision by the European Commission, just days before the deadline set out in the Trade and Co-operation Agreement, to adopt adequacy decisions in respect of the UK's post-Brexit data protection regime. This means that data flows from the EEA to the UK will be able to continue unrestricted (the UK having already decided that the EU regime was adequate). However, as we discuss here, the inclusion of a sunset clause means that the adequacy decisions in favour of the UK's regime must be reassessed after four years.
Businesses should also note that it is possible that there may be legal challenges to the validity of the adequacy decisions, and so they should continue to monitor for developments.
The data protection compliance burden caused by Brexit goes beyond consideration of international data transfers, as businesses must now adapt to being subject to potentially divergent regulatory regimes - the 'actual GDPR' in the EU, and 'UK GDPR' in the UK. Given the extra-territorial effect of both regimes, this is particularly acute for businesses operating across both the EU and the UK, and could necessitate allocation of additional resource to meet increased levels of compliance. It could potentially also result in duplicative regulatory action arising from single incidents.
Key compliance issues for a business include:
- Identifying whether an EEA data protection authority can be a 'lead supervisory authority', in order to take advantage of the GDPR 'one stop shop' regime for regulatory engagement.
- Appointing a representative in the EEA and/or the UK for the purposes of both the 'actual GDPR' and 'UK GDPR', where necessary, depending upon the location of its establishment/s.
- Reviewing and updating Privacy Notices, website terms and conditions, terms of business and data related agreements to ensure compliance with both regimes' transparency requirements.
For more information, read our detailed Guide on the Impact of Brexit on Data Protection. We have also put together a user-friendly UK GDPR resource.