Brexit: What are the privacy implications?

Brexit: What steps do organisations need to take? 

The implications of Brexit will depend on the type of deal struck between the EU and the UK. Will it be a hard or a soft Brexit? This question leaves one with no certainty. 

However, if the UK leaves on 29th March 2019, the UK Data Protection Act 2018 will remain in place and the GDPR incorporated into UK law. Furthermore, from 29th March to end of December 2020 there will be a transitional period if formally agreed and the EU rules would continue to apply in the UK during that period. 

On 14th November 2018, the UK cabinet agreed a draft withdrawal agreement which governs the exit of the UK from the EU and the UK’s future relationship with the EU. Whilst this draft is very much that (and it is unlikely that this will ultimately be the agreed form for an exit), it is clear that the UK has always stated that it intends to maintain a strong environment for data protection matters, and this draft document confirms that approach.

Nonetheless, things are still up in the air, which provides little comfort for businesses, with things looking undecided until at least 2020 when the EU will hopefully have finalised its analysis of the UK’s privacy framework.

So what are the concrete issues businesses in the UK and dealing with the UK have to face regarding data protection matters?

The issue of international transfers 

On exit of the EU, the UK will become a third country and transfers will mean using alternative mechanisms such as Standard Contractual Clauses or Binding Corporate Rules. 

The UK government is looking for a special deal which would involve: 

  • providing the ICO with an appropriate role and; 

  • avoiding parallel processes for business and consumers. 

The UK might hope for an agreement close to the EU and Japan bilateral agreement, however negotiating this type of agreements takes years. 

In September, the UK government published a technical notice mentioning that in the absence of agreement, organisations would have to use standard contractual clauses to legitimise the transfers from the EU to the UK. The question is whether the UK will be using the EU Standard Commission Clauses or whether it will develop its own set of standard contractual clauses. Moreover, the EU has never published clear guidelines on standard contractual clauses. 

The position therefore remains uncertain, which is of little comfort for businesses and organisations dealing with personal data in the UK or carrying out transfers of personal data to the UK, as they attempt to put safeguards and best practice in place, such as updated contracts, adapted privacy policies, analysis of the Commission Standard Contractual Clauses and staff training.

We are always happy to discuss your data protection Brexit strategy with you, to ensure that you are as protected as possible - and to ensure that your business suffers minimal disruption.

Don’t hesitate to book your free 30 minute consultation here.

Authors: Marie Mortreux, Legal Intern @ Gerrish Legal + Charlotte Gerrish, Founding Lawyer @ Gerrish Legal, November 2018.