Data protection for your business after a no-deal Brexit

7 October 2019

At the time of writing, it is possible that the UK could exit the EU on 31 October 2019 (“exit date”) without a deal which means immediately leaving EU institutions such as the European Court of Justice without an agreement over what happens next.


Whilst a smooth transition of data privacy laws is essential for minimising disruption to the free movement of personal data which forms the lifeblood of the digital economy, this measure is not in itself conclusive. This blog forms part of our data protection series and summarises the government’s proposed data protection regime in the event of a no-deal Brexit and looks at the preparatory steps you can consider to help avoid interruption to your business. 

The “UK GDPR”

The GDPR is the EU’s data privacy regulation which applies as law in the UK and all EEA countries (i.e. the EU plus Iceland, Norway and Liechtenstein). When the UK leaves the EU, the government intends to create the “UK GDPR” by amending the EU GDPR as illustrated in the ‘Keeling Schedule’ for the GDPR. This means that the fundamental rights of individuals and governing principles (such as fairness, transparency and accountability) will stay the same but the territorial scope will be limited to the UK only.

International data transfers

As discussed in our previous blog (GDPR for the UK: Brexit and international transfers of personal data), in the absence of an adequacy decision in favour of the UK (which, according to the government’s recently published Operation Yellowhammer papers, could take years to achieve), as a UK business you will need an alternative legal basis for processing personal data where you (i) send personal data outside the UK (this will be a “restricted transfer” under the UK GDPR); or (ii) receive personal data from the EEA; or (iii) receive personal data from countries which are covered by an adequacy decision.

The Information Commissioner’s Office (the “ICO”) is the independent public authority that is responsible for monitoring the application of the EU GDPR in the UK. (After Brexit, the ICO will continue to be the UK’s supervisory body in relation to the application of domestic data protection law). According to the ICO, the government intends to recognise the EU adequacy decisions that have already been made which will allow most restricted transfers to organisations in those countries to continue (this includes the recently implemented adequacy decision for Japan). Furthermore, UK businesses will still be able to transfer personal data to US organisations that are certified on the EU-US Privacy Shield as long as those organisations expressly state that their commitment to compliance with the Privacy Shield apples to personal data from the UK.  You will need to check this commitment has been updated in each case.

If no adequacy decision applies to your restricted transfer, you should consider what documentation is needed to keep data flowing (and where the data is going), in many cases this will mean entering into standard contractual clauses which the sender and receiver both sign up to as this is a fairly straightforward means of providing an appropriate safeguard for a restricted transfer. Alternatively binding corporate rules (“BCRs”) can be used for transfers from an entity in the UK to overseas branches within the same corporate group. The ICO has stated that the government will recognise BCRs created pursuant to the EU process before the exit date as ensuring appropriate safeguards for the protection of personal data. On exit date the UK will become a third country so your BCRs should be updated to reflect this change. Local laws will apply in respect of data transfers from countries outside the EEA which do not have an EU adequacy decision for transfers to the UK. In these situations you may wish to seek guidance from lawyers of the relevant jurisdiction as necessary.

EU Representatives

If you target customers in the EEA and your business is based in the UK only without any branches or offices in other EEA countries, then as a non-EEA based controller or processor after exit date, you will need to appoint a representative within an EEA country where the data processing takes place. The representative (which can be an individual or an organisation) must be established in the EEA and must be able to represent your business in respect of all matters of compliance with the EU GDPR including liaising with supervisory authorities and data subjects. The representative must be appointed in writing and this is likely to be most effectively achieved through the use of a services agreement. You should make details of the representative easily accessible to customers and supervisory authorities by including them in your privacy notice and publishing them on your website. A representative does need to be appointed if your processing is only occasional and low risk i.e. it does not involve the collection of sensitive data (such as health information and criminal records) on a large scale.

A “one-stop-shop” for cross-border processing

The ICO is preparing guidance for cross-border processing and lead supervisory authorities. The aim is to create a “one-stop-shop” system whereby controllers and processors which carry out processing that impacts individuals in more than one EEA country only need to liaise with a single lead supervisory authority in the EEA. Such authority will act on behalf of all other interested EEA data protection regulators and will be responsible for investigating breach incidents and taking enforcement action such as by issuing fines. Further comment on the proposed arrangements may be provided once guidance has been issued by the ICO and the European Data Protection Board.

Business as usual after Brexit

Whilst Brexit remains in a state of flux, as a UK business with international operations and overseas customers, it is important to evaluate the potential impacts of legal changes and consider your data flows and the subsequent steps you could take to help maintain business as usual after Brexit.

Should you have any Brexit, GDPR or data protection queries, please contact Kingsley Napley’s Brexit or Data Protection teams.

Brexit Bulletin Board

Brexit Bulletin Board

Brexit and EU citizens in the UK

A simple chart showing what will happen to EU citizens living in the UK if there's a deal or if there's no deal. September 2019

Brexit - What EU citizens living in the UK need to know

Read More

Brexit - what British citizens living in the EU need to know

READ MORE

Brexit and UK citizens in the EU

A simple chart showing what will happen to UK citizens living in the EU if there's a deal or if there's no deal. October 2019

Brexit immigration podcast - a view from Europe

We chat to immigration specialists in Spain, Germany, France and Italy on what British citizens in those countries should be doing now. August/September 2019

Click here to listen

No-deal Brexit policy update provides some relief for employers and EU citizens

5 September 2019

READ MORE

The EU Settlement Scheme - a guide for EU citizens living in the UK

Click here to play video

Brexit: business anxiety over freedom of movement U-turn

20 August 2019

READ MORE

Handle with care: why it’s time to treat EU nationals responsibly

30 August 2019

READ MORE

Glitches in the EU Settlement Scheme

5 August 2019

Read more

The suspension of parliament increases legal scrutiny of Brexit – and possibly a public inquiry?

29 August 2019

Read more

Kingsley Napley's immigration team sponsors Financial and Professional Services Post-Brexit Immigration Briefing

9 May 2019

READ MORE

Post-Brexit data sharing with EU regulators is key for FCA policing market abuse

1 February 2019

Read News Item

No-deal Brexit: transitional arrangements for EEA nationals arriving after 29 March 2019

29 January 2019

READ MORE

No deal Brexit: what this would mean for extradition?

23 January 2019

Rebecca Niblock blogs

EU Settlement Scheme - what you need to know

November 2018 - In this podcast Gillian Brownlee and Felicity Woof discuss the new EU Settlement Scheme which at the time of recording (in November 2018) is due to go live on 30 March 2019.

Listen to the podcast

'Playing by their own rules?' - Brexit blog series

Our Public Law team blogs about secondary legislation and Brexit.

View the blog series

Mutual trust remains until we leave: notification of intention to leave the EU not an exceptional circumstance

19 September 2018

Read the blog

No-deal Brexit and the impact on patient safety

20 September 2018

READ MORE

Divorced, beheaded, scrutinised? SIs and Henry VIII powers under review

31 August 2018

Read the blog

Brexit: "It was not this that I promised to do"

14 August 2018

Read the blog

Brexit and the European Arrest Warrant (EAW): at least now we know what we don’t know

9 August 2018

Read the blog

Could Brexit send Geraint Thomas into a spin?

30 July 2018 - Hanging over this year’s Tour de France, at least for this British cycling fan, was the realisation that this is probably the last Tour pre-Brexit, and so there is an additional level of uncertainty about what the 2019 post-Brexit edition will look like.

Read the blog

Holiday home/Retirement planning: will Brexit wreck it?

16 July 2018 - A question you may ponder as you relax on that sunlounger in the weeks ahead is whether you need to review your arrangements for any EU based property in light of Brexit.

Read the blog

Brexit and practising rights for lawyers

9 July 2018 - Two Solicitor friends of mine recently asked me to sign their applications to register with the Law Society of Ireland. I asked them if they were thinking of moving.

Read Blog Post

#Brexit: Further clarification on the rights of EU citizens living in the UK: https://bit.ly/2LY0QtA

18 June 2018

View Tweet

Blackberries, Baking and Brexit

11 July 2018

Read Blog Post

A change of course? Pondering the future of golf in Brexit Britain

29 March 2018 - As avid golfers focus their attention on the US Masters in Augusta Georgia next month, many at the 19th Hole will be pondering the impact of Brexit on their beloved game.

Read the blog

Post-Brexit language testing for EEA qualified healthcare professionals

22 March 2018 - The House of Commons Library published a Briefing Paper on 7 March 2018 outlining the language testing requirements imposed upon healthcare professionals who qualified outside of the UK.

Read Blog Post

Brexit & Horse Racing

5 March 2018 - The UK is home to a myriad of sports employing foreign nationals and receiving investments from overseas companies. Learn how Brexit will impact horse racing and all who are part of it.

Read Blog Post

Brexit & Motor Racing

21 March 2018 - The UK is home to a myriad of sports employing foreign nationals and receiving investments from overseas companies. Learn how Brexit will impact motor racing and all who are part of it.

Read Blog Post

UK-EU security cooperation post #Brexit - ringing the alarm bell! | Part II of a two-part guest blog by EU Criminal Law expert Dr Debbie Sayers | #CriminalLaw http://ow.ly/bO0b30jwHfa

17 April 2018

View Tweet

Kim provides the facts! #stayorgo

19 March 2018

View Tweet

Beyond #Brexit: new anti-money laundering regime agreed

10 July 2018 - No sooner are we one year into the new regime under the Money Laundering Regulations 2017 than a further EU instrument has been adopted.

Read Blog Post

What Brexit means for EU employees living in the UK and their families

27 June 2016

View on YouTube

Share insightLinkedIn Twitter Facebook Email to a friend Print

Email this page to a friend

We welcome views and opinions about the issues raised in this blog. Should you require specific advice in relation to personal circumstances, please use the form on the contact page.

Leave a comment

You may also be interested in:

Close Load more

Let us take it from here.

+44 (0)20 7814 1200

enquiries@kingsleynapley.co.uk

Skip to content Home About Us Insights Services Contact Accessibility