Data Protection and GDPR post Brexit
After the Brexit transition period ends on 31 December 2020, the EU GDPR will no longer be law in the UK and the UK will become a “third country” for the purposes of EU law.
As the UK government intends to write a UK equivalent to the GDPR into UK law, from all practical perspectives, GDPR will continue to apply. Contracts and privacy notices may, however, need to be updated to refer to correct legislation.
Notwithstanding that a comparable regime may be in place, UK organisations, businesses and individuals that process or transfer the personal data of EU-27 citizens from the EU to the UK may need to take action to continue the free flow of data from the EU to the UK and guarantee the protection of EU data subjects. The action required will vary according to whether there is a deal or no deal and may necessitate obtaining specialist legal advice.
As a “third country”, until the EU makes an adequacy decision regarding the UK (which could take some time), the transfer of personal data from the EEA to the UK will only be allowed if ‘appropriate safeguards’ are in place. Such safeguards include Standard Contractual Clauses (SCCs).
SCCs must be inserted into contracts (whether controller to controller or controller to processor) before the end of the transition period, and their wording must follow that approved by the European Commission.
Transfers of personal data from the UK to the EU/ EEA will not be affected and transfers to and from countries outside of the EU/EEA will be subject to the same rules as now.
In addition, some businesses offering goods / services to individuals in the EU or which monitor individuals in the EU may need to appoint (in writing) a “GDPR Representative” to act as a local representative for individuals and data protection authorities in the EU. This cannot be an organisation’s DPO.
The Information Commissioner’s Office (ICO) has published a checklist of six steps that businesses can take now to start preparing for data protection compliance in the event of no-deal.
You can view this checklist here:
The government has also produced guidance on using personal data after Brexit, which is available here: https://www.gov.uk/guidance/using-personal-data-after-brexit
The information was correct at time of publishing but may now be out of date.