GDPR post-Brexit – an update

GDPR post-Brexit

Late last year, we published a guide to everything you need to know about GDPR after Brexit. A few things have changed since then, not least, the UK finally agreeing on a deal on 24th December 2020. So, with the terms of the UK’s exit decided, do we know anything more about what GDPR looks like post-Brexit?

What’s happened since a deal was agreed?

You may remember from our previous piece that the UK was awaiting an ‘adequacy’ decision from the European Commission (EC). In simple terms, the EC must decide whether the UK has adequate data protection measures in place for EU countries to work with it.

In the time-honoured fashion of all negotiations between Britain and EU organisations, we’re still waiting on that decision. However, as a temporary fix, the two sides have set out the ‘Trade and Cooperation Agreement’, which contains a provision for data flows. 

What does this mean for GDPR? 

The ‘Trade and Cooperation Agreement’ contains a provision allowing data flows between the EU and UK to continue as they were pre-Brexit for a maximum of six months. In other words, data can still be transferred in the way it was pre-January 2021 until June this year.

There are two ways this ‘bridging period’ could come to an end. The first is that the UK makes changes to data protection law during the period. If this happens, the UK would be outside the terms of the agreement and data transfers will immediately stop.

The second is that the EC makes a decision on the UK’s adequacy status. If this hasn’t happened by 1st April then the period will be extended to its full six-month maximum. 

Still with us? It’s also important to note that the UK has already deemed the EU’s data protection as adequate, meaning data is free to flow in the other direction too. GDPR has now been made part of UK law and renamed the ‘UK GDPR’. And, the Trade and Cooperation Agreement includes a commitment that the UK and EU will continue to cooperate on digital trade in future. 

What does your business need to do? 

If it’s business as usual until April, does your business need to do anything to ensure compliance with GDPR?

Unfortunately, the answer is yes. While data flows can continue as they are, for now, predicting the future is tricky. Some commentators are cautiously optimistic about the likelihood of a favourable adequacy decision for the UK. However, many others cite the long-standing differences in surveillance practices between the EU and UK as a potential blocker to any positive outcome.

This means that the smart thing to do, for businesses of any size, is to put in place alternative arrangements. The Information Commissioners Office (ICO) has already issued a statement urging businesses that depend on data received from EU/EEA countries to do exactly that. 

In practice, this means setting out binding corporate rules (BCRs) or standard contractual clauses (SSCs) on data protection for an EU organisation you exchange information with. This is essentially a commitment to comply with EU data rules as an individual organisation in the event that something changes at the state level.

You can find more advice on the ICO’s Brexit hub and we’ll keep bringing you further updates as we get them. 

Data privay toolbox

GDPR after Brexit – everything you need to know

GDPR after Brexit

Just when you thought the endless rounds of Brexit negotiations were finally drawing to a close and it was safe to tune into the news again, another problem has reared its head. What will happen to GDPR after Brexit? And will UK companies still be able to exchange data within the EU? 

To provide some clarity amongst the confusion, we’ve tried to answer both. So, join us on a whistlestop tour of all things Brexit and GDPR. 

Will GDPR apply in the UK after Brexit? 

Strap yourselves in, this one’s going to take some explaining. While GDPR will no longer apply ‘directly’ once the transition period ends on 31st December 2020, that doesn’t mean UK organisations no longer need to comply with it. 

This is because the Data Protection Act 2018 enshrines GDPR’s requirements in law. On top of the existing legislation, the UK government has issued a statutory instrument catchily titled ‘The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019’. In simple terms, this amends the original law and merges it with the requirements of GDPR. The outcome will be a new data protection framework known as the ‘UK GDPR’. 

Still with us? The good news is that there’s virtually no difference between the UK version of GDPR and the current EU regime. So, for the meantime at least, you should continue to comply with the requirements of the EU GDPR. 

So why all the dramatic headlines about GDPR after Brexit? 

If there’s little material difference between the current GDPR and the proposed UK version, why are we seeing headlines about the switch costing UK firms £1.6bn in compliance fees?

Well, the problem lies in how the UK’s status is defined by the EU. Once the UK leaves the EU, as a non-member state it will be reclassified as a ‘third country’. And this has big ramifications for the transfer of personal data between countries. 

Under GDPR (the EU version), transferring personal data from the European Economic Area (EAA) to third countries is only permitted in one of three circumstances.

The three options

  1. If the European Commission (EC) has issued an adequacy decision. In other words, the EC has decided the third country has adequate data protection measures in place for EU countries to work with it.
  2. If safeguards such as binding corporate rules (BCRs) or standard contractual clauses (SCCs) are in place between organisations exchanging data. These are essentially commitments to comply with GDPR at the level of an individual company.
  3. If an approved ‘code of conduct’ is in place between the EEA and the third country. 

At the moment, no code of conduct has been agreed between the EEA and the UK. What’s more, the EC is yet to issue an adequacy decision.

This has led commentators, such as the New Economics Foundation (NEF) and UCL’s European Institute research hub, to suggest that in the event of a no-deal Brexit, UK businesses would have to undertake option two from the three circumstances listed above. 

The problem with this is that it could prove very costly. In fact, NEF estimates setting up extra compliance measures like SCCs could cost on average £3,000 for a micro-business, £10,000 for a small business and £19,555 for a medium-sized firm. For large firms, the figure could be as high as £162,790, with a cost of £1.6bn to the UK economy as a whole. 

How likely is this to happen?

While the last section might be a little scary, it’s important to stress that it is the worst-case scenario. The UK government has stated several times that it’s committed to securing an adequacy agreement with the EC. So it’s not beyond the realms of possibility that all this will be academic and we’ll see a relatively smooth transition process.

However, there are some doubts about the likelihood of the UK being granted adequacy status. And there are a couple of compelling reasons for this. First, the EU has long opposed some of the practices of the UK security services. This has led to several protracted court battles and a few defeats for British legislators. It’s felt that unless the UK is willing to change it’s surveillance practices – something it’s repeatedly refused to do – then this is likely to provide a blocker to the UK being granted adequacy status. 

Second, the UK government has committed to ‘liberalizing’ data laws as it leaves the EU. Its argument for doing this is that data is currently ‘inappropriately constrained’ by EU laws. The problem is that this is likely to render the UK’s data protection measures inadequate in the eyes of the EU. Again, leading to a scenario in which the UK becomes considered a third country without adequacy status. 

What should SMEs do? 

At this point, it’s natural to wonder what your business can do to ensure you’re ready for the transition. After all, with all the decisions being made at an international level, what can a single SME do but wait?

We don’t yet know the outcome of negotiations on the UK’s adequacy status. So planning for extra compliance measures like SSCs is a challenge. Nevertheless, as we mentioned earlier, it’s well worthwhile ensuring your business is compliant under the current GDPR regime. At the very least, this should help you stay on the right side of the new UK GDPR standard once it’s released.

Data protection obligations got you in a muddle? Get on top of them quickly and easily with the CyberSmart Privacy Toolbox.

CyberSmart Privacy Toolbox