Uncertainty around Brexit has caused some confusion as far as data privacy is concerned, with some business owners unsure on how to proceed with their own data protection policies – and whether GDPR will apply after Brexit or not. In this article, we discuss data privacy post-Brexit and the most likely outcomes as a result of it.
On 25 May 2018 the United Kingdom saw the biggest change in data protection law in two decades with the Data Protection Act 2018 becoming legally enforceable.
Superseding the Data Protection Act 1998, the DPA 2018 applies the EU’s General Data Protection Regulation, setting out provisions for how it applies to organisations who control and process the personal data of UK citizens.
The commencement of the Act fell in the month of May, following months of tough Brexit negotiations between the United Kingdom and the EU. This left many business owners wondering which fork in the road to take with their own data protection policy.
What follows is unique insight into data privacy after Brexit, with quotes provided by the Government from their own published guidance.
In the event of a deal, there will be no change in the UK’s data protection standards, so normal service would resume. This means the General Data Protection Regulation (GDPR) will stick, with the Data Protection Act 2018 continuing to provide the legal framework that applies it to businesses in the United Kingdom.
If there’s no deal and the UK leaves the EU in March 2019, the Government has stated themselves that there will be “no immediate change in the UK’s data protection standards” which means the GDPR and DPA 2018 will still apply.
The Data Protection Act 2018 will still exist in its current format. We can say this with absolute certainty because the Government has also stated, “the EU Withdrawal Act would incorporate the GDPR into UK law”.
However, in the event of the UK leaving the EU without a deal, the legal framework for governing transfers will change. The Government has said you will still be able to send personal data from the UK to the EU as normal, but you will need to take action to ensure organisations can still send you personal data.
Personal data transfers are, in fact, the only major point of uncertainty around a no deal Brexit. We’ll take a closer look at this below.
The EU’s stance on transfers with no deal
The EU takes data privacy extremely seriously and will only allow for the free flow of information between countries if those countries have adequate laws to protect that information. The European Commission has stated that they will allow the transfer of personal data to the UK without restrictions, “if it deems the UK’s level of personal data protection essentially equivalent to that of the EU.”
What this means is the UK will need a positive “adequacy decision” post-Brexit in order for personal data transfers from EU countries to the UK to stay the same.
Since the Data Protection Act 2018 satisfies this criteria by rolling out the GDPR, we can expect the EU’s decision to be positive on this one, however it can take up to two years for an adequacy decision to be awarded.
Guidance on transfers as it stands
Under the GDPR there are specific rules on personal data transfers to non-EU countries (which the UK will be post-Brexit) and international organisations.
The Information Commissioner’s Office (ICO) has published guidance on making restricted transfers post-Brexit. They state the following questions must be worked through before any transfer of personal data takes place:
1. Are we planning to make a restricted transfer of personal data outside of the EEA?
If no, you can make the transfer. If yes go to Q2
2. Do we need to make a restricted transfer of personal data in order to meet our purposes?
If no, you can make the transfer without any personal data. If yes go to Q3
3. Has the EU made an ‘adequacy decision’ in relation to the country or territory where the receiver is located or a sector which covers the receiver?
If yes, you can make the transfer. If no go to Q4
4. Have we put in place one of the ‘appropriate safeguards’ referred to in the GDPR?
If yes, you can make the transfer. If no go to Q5
5. Does an exception provided for in the GDPR apply?
If yes, you can make the transfer. If no you cannot make the transfer under the GDPR.
The ICO states that if you reach the end of those questions without finding a provision that is relevant to your case, you cannot make the transfer under the GDPR.
How this applies to you
If you are an organisation with an existing data protection policy designed for GDPR compliance, there will be no changes to data privacy law in the United Kingdom whether the UK leaves the EU with or without a deal.
This means, in plain English, that your existing data protection policy will remain compliant so long as it satisfies the General Data Protection Regulation.
However, you may need to seek separate professional advice if your organisation handles the transfers of data between EU states, until such a time the EU deems the UK’s level of personal data protection “adequate”.
Lastly, the ICO will remain the UK’s independent supervisory authority on data protection after Britain leaves the EU. The ICO will work as closely as ever with relevant EU authorities to monitor and pursue compliance issues.
Data privacy is more important than ever before
Whether Britain leaves the EU with or without a deal, data privacy should be at the core of every organisation controlling and processing personal data.
It’s as much an issue of ethics as it is legality. Regarding the latter, individuals have the legal right to privacy and the right to have a say in how their personal data is used. And as the controller of that information, you have a legal obligation to enable those rights and comply with any subject access request.
How the GDPR applies to your organisation depends on the type and scope of data you collect, but no organisation is immune to some change.
If your existing data protection policy was designed to comply with the Data Protection Act 1998, it is now outdated and should be updated as soon as possible. The fines for non-compliance have increased from a maximum £500,000 under the DPA 1998 to £17 million or 4% of group worldwide turnover under the DPA 2018.