The UK has voted to leave the European Union. This means that once the UK leaves, it will no longer have to comply with the laws of the EU (although a lot of law in the UK will look exactly the same). The question on everyone’s lips, however, is what happens after Brexit to the EU’s General Data Protection Regulation (GDPR) which comes into effect on 25 May 2018?
The UK is due to leave the EU on 29 March 2019. After this date, it is likely that there will be a so-called transitional period. So, what happens between now and 25 May? What happens between 25 May 2018 and 29 March 2019? And then what happens after that?
In the same way as there are conflicting opinions on what the UK will look like in a post-Brexit world, there are conflicting opinions on what Brexit means for UK data protection law. How will the relationship between Brexit and the GDPR affect the rights of individuals in the UK and those businesses seeking to do business in the UK?
We’re here to answer all your Brexit and GDPR related questions and set the record straight once and for all.
Brexit’s real impact on the GDPR
In the short term, Brexit will have no impact on the GDPR. On 25 May 2018, the UK will still be in the EU and organisations subject to the GDPR must comply with the regulation in full. This means that both organisations based in the UK and non-EU businesses selling goods or services in the UK need to be ready to comply with the GDPR. Likewise, non-EU businesses monitoring EU (including UK) citizens such as US online advertisement tracking companies need to comply with the GDPR.
The future of the UK’s data protection laws
Both the UK government and the Information Commissioner have made it clear that the obligations contained in the GDPR are obligations which will continue post-Brexit. The GDPR has direct legal effect in the UK from 25 May 2018. There was a Data Protection Bill published in September 2017 which will repeal the existing Data Protection Act 1998 and implement the GDPR standards.
The speed with which this has been done when compared to other areas of EU law applicable in the UK shows how seriously the UK government is in ensuring that it stays in line with the more rigorous standards of the GDPR. Therefore, it can be said with confidence that the GDPR standards will apply from 25 May 2018, for the period of any transitional arrangements and from when the UK flies the EU nest on 29 March 2019.
What we don’t know yet
There are some questions that still require answering. For example, at present the GDPR states that personal data can only be transferred out of the European Economic Area to countries with an adequate level of protection. This is typically achieved by a country obtaining:
- an adequacy ruling from the European Commission (e.g Canada);
- agreeing special arrangements (e.g Privacy Shield participants in the US);
- use of ‘binding corporate rules’ (take a long time);
- or use of ‘model clauses’ (logistically tricky in some cases).
What will the position be for EU companies needing to transfer personal data to the UK?
At a recent conference in Brussels (1), the Irish Data Protection Commissioner said that an automatic adequacy decision for the UK was unlikely so the easiest solution may not be so easy.
And what about transfers of data from the UK to the USA post-Brexit? Will the UK have to negotiate its own arrangements with the US? Will it attempt to piggyback on the Privacy Shield arrangements that the US has with the EU?
The UK government and the Information Commissioner need to clarify such questions because without the effective free flow of personal data to and from the EU and other parts of the world, there will be a detrimental effect on the economy of the UK.
Still not prepared for the GDPR?
If your organisation has left it late to comply with the GDPR, for reasons of Brexit uncertainty or otherwise, one thing is clear – with regards to the GDPR, you cannot simply do nothing.
Given the lack of time for compliance preparation, your organisation needs a simple, quick, and effective solution which takes away the worry and risk of not complying with the GDPR. It needs to embed GDPR compliance within its organisation, educate its workforce as to what GDPR compliance means and be able to demonstrate such compliance to customers and regulators alike.
Our effective solution is The Privacy Compliance Hub. This safe and secure product allows organisations to implement a comprehensive, easy to implement a GDPR compliance solution which tells you what to do, how to do it and when. It also educates employees on compliance, creating a confident and informed workforce.
Find out more about how it works here or simply get in touch for a chat by dropping us an email at firstname.lastname@example.org.
- Computers, Privacy & Data Protection 2018 – The Internet of Bodies – Brussels