StaRs: Time to prioritise, but not to panic
The GDPR is coming into force on 25 May 2018. The UK is leaving the EU at 11pm on 29 March 2019. No doubt these dates are engraved into the minds of most business owners. But while these deadlines are enough on their own to leave you with plenty to worry about, it is also important to consider the interplay between the two – that is to say, what will Brexit mean in terms of the GDPR?
In fact, the European Commission (the “EC”) believes this is so important they have released a statement reminding businesses that when the UK leaves the EU, the UK will become a “third country” for the purpose of data transfers under the GDPR.
Once the GDPR comes into force and BEFORE we ‘Brexit’:
In very specific cases, derogations apply which mean that transfers of data to data processors in third countries will be allowed, even where none of the above safeguards are in place. These derogations include:
After Brexit, the UK will become a third country. This means that data controllers in EU countries will have to identify a specific legal basis within the GDPR upon which it can legally transfer personal data to the UK (i.e. ensuring that one of the safeguards listed above is in place or relying upon a specific derogation). This will impact any UK business which depends upon receiving personal data from data controllers in the EU, including those who depend upon trade with EU countries, and international firms with offices abroad. Regrettably, in the context of international data transfers, the GDPR will present yet another complication for UK-EU trading companies in the wake of Brexit.
The UK Government recognises the imperative of obtaining an adequacy decision, which would be the simplest means of ensuring that data controllers throughout the EU can legally transfer personal data to the UK without further reliance upon the safeguards, all of which require a significant amount of legal input and expense, and preparation in advance of the data transfer. The GDPR will continue to apply when the UK exits the EU and the UK Government has demonstrated its commitment to the principles of the GDPR within the Data Protection Bill. However, any decision on adequacy will have to wait until we reach the ‘data protection’ stage of the Brexit negotiations. Where the only certainty with respect to Brexit is that nothing is certain, this presents an added challenge to companies with business relationships in the EU.
It is important to note is that all of the above is subject to any transitional arrangement being made during the Brexit negotiations. If such an agreement is reached, it is likely to contain provisions about how data can be transferred between the EU and the UK post-Brexit. Alongside considerations with respect to transfers of data from the EU to the UK, thought will need to be given to the transfers by UK data controllers internationally. Similar safeguards are likely to apply within the domestic data protection regime which applies post-Brexit, but the UK will also need to make its own determination concerning adequacy of protection within third countries.
Therefore, in preparing for the introduction of the GDPR in May, you should be looking further ahead and considering the implications of the UK leaving the EU. Where your business is reliant upon data transfers from the EU, you should Brexit-proof your international data transfers by lining up one of the other safeguards in case the UK is not granted adequacy. And at the moment, judging by the careful wording of the EC’s recent statement, this is by no means a foregone conclusion.
Should you have any GDPR or other data protection queries, please contact Kingsley Napley’s data protection team. Likewise, if you require assistance drafting GDPR compliant contracts, please contact a member of Kingsley Napley’s corporate and commercial team.
Skip to content Home About Us Insights Services Contact Accessibility