Data protection is a key battleground in determining the EU and UK future relationship beyond the end of the transition period, when the UK will be treated as a 'third country'. Businesses that have adapted to comply with the requirements of the General Data Protection Regulation (GDPR) will now need to assess their compliance with both the EU and UK data protection regimes. Further, whilst businesses have become used to the ease with which personal data can move between the EU and the UK, data transfers may prove more cumbersome in the future, unless the EU is satisfied as to the adequacy of the UK's post-Brexit data protection regime.
An adequacy statement from the EU is not a foregone conclusion. Under the Theresa May Government, the UK had taken steps to ensure that GDPR would continue to apply in the UK - in the form of 'UK GDPR'. More recent UK Government statements and reports from the EU/UK negotiations have suggested that, instead, the UK may see an opportunity to take a different path, thereby potentially disturbing the data equilibrium for businesses operating across borders.
Businesses should take steps to:
- Audit existing international data flows: what personal data you have, where you hold it, and where you transfer it to and from
- Identify the appropriate mechanisms to put in place to maintain those data flows after the end of the transition period in the event there is no adequacy decision. These could be Standard Contractual Clauses, Binding Corporate Rules and Certification Mechanisms, or specific derogations such as consent from the data subject.
The data protection compliance burden caused by Brexit will, however, go beyond data transfers, as businesses adapt to being subject to two potentially divergent regulatory regimes - the 'actual GDPR' in the EU, and 'UK GDPR' in the UK. Given the extra-territorial effect of the 'actual GDPR', this will be particularly acute for businesses operating across both the EU and the UK, and could necessitate allocation of additional resource to meet increased levels of compliance. It could potentially also result in duplicative regulatory action arising from single incidents.
Key issues for a business to consider now in preparation for the end of the transition period include:
- Identifying whether an EEA data protection authority can be a 'lead supervisory authority', in order to take advantage of the GDPR 'one stop shop' regime for regulatory engagement.
- Appointing a representative in the EEA and/or the UK for the purposes of both the 'actual GDPR' and 'UK GDPR', where necessary, depending upon the location of its establishment/s.
- Reviewing and updating Privacy Policies, website terms and conditions, and terms of business to ensure compliance with both regimes' transparency requirements.
For more information, read our detailed Guide on the Impact of Brexit on Data Protection.