We’re all familiar with the General Data Protection Regulation (GDPR) and the additional responsibilities businesses need to keep Personal Data secure. But with the Brexit completion on the horizon, what does this mean for GDPR in the UK?
For those wondering if our recent departure from the EU will mean the GDPR will still apply, the short answer is ‘yes’. But it will be different.
What do we know so far?
Any of the EU principal, primary, minor and subordinate laws before the exit day will be retained under section 7 (2) of the Withdrawal Act 2018 unless modified under any of the exceptions.
The Brexit transition period began when we left the EU on 31st January 2020. From 1st January 2021, under Article 50(2) and with the European (Withdrawal Agreement) Act 2020, we will have ended the transition period, and UK laws and regulations will take the place of existing European ones. Here’s what that means for Brexit and the GDPR…
GDPR During and After the Transition Period
Post Brexit in relation to the area of Data Protection on the face of it whilst we’ve have not seen change to GDPR during the Brexit transition period and the EU regulation is still applicable until the end of the year. However, in the background there are drafts which suggest changes are coming.
With the key legislations in this area let’s view this at high level:
Up to 31st December 2020
- General Data Protection Regulation and EPECR 2003
- Data protection Act 2018
- EU law applies
After 1st January 2020
- The Data Protection, Privacy and Electronic Communications (Amendments) (EU Exit) Regulations 2019 (effective on exit day) (“DPPEC”)
- Data protection Act 2018 (with GDPR under domestic law under section 2 (1)/section 6(2) & 7A (2) European Union (withdrawal Agreement) Act 2018)
- UK GDPR with amendments – DPA 2018
- If you have EU customers, then the EU GDPR
So far, we know that the government will bring the EU GDPR into UK regulation as the new UK GDPR. Let’s consider some of the high-level key changes in the UK GDPR.
There are two clear definitions for the GDPR as mentioned below. Also, where there was a reference to EU GDPR in the Data Protection Act 2018 (amended) and the GDPR this is likely to change to UK GDPR.
- “The UK GDPR”
- “EU GDPR”
In relation to the Privacy and Electronic Communications (EC Directive) Regulations 2003, Electronic Commerce (EC Directive) Regulations 2002 and Freedom of Information Act 2000 these will replace the GDPR with the UKGDPR
2. Supervisory authority
Pre-Brexit this the ICO is the Supervisory Authority which is likely to change to the Commission. If you have EU customers after Brexit, you may still refer to Supervisory Authority of the local EEA country.
3. UK third country
Post Brexit UK may fall under a third country in the absence of an adequacy decision in which case new set of standard contractual clauses could apply. Where UK is given adequacy decision subject to Article 71(1) this may differ. If you have EU customers after Brexit, you may still refer to the local EEA country without standard contractual clauses where there is a EU adequacy decision. Will EU GDPR Still Apply if UK GDPR diverges?
While the GDPR may not be UK law, it will apply when providing goods or services to an EU customer. The current GDPR has an extraterritorial effect, which means that it reaches outside of the European Economic Area (EEA) in which it applies by law.
To demonstrate how this effect works in practice, you may recall that some American websites blocked European traffic when the regulation was first introduced. As they weren’t compliant with the GDPR, they were unable to accept any visitors from the EEA due to the extended reach of the regulation.
This means that if you currently process any Personal Data from someone in Europe, or plan to in the future, you will need to comply with the EU GDPR and the UK GDPR or risk a hefty fine.
Will I Need to do Anything Differently?
There is a chance you will need to make some changes to stay compliant after 1st January 2020. Part of the EU GDPR is a section on European Representatives, which dictates that a business outside of the EEA needs a European Representative if:
- they are offering goods or services to individuals in the EEA; or
- monitoring the behaviour of those individuals; but
- do not have an office, branch or establishment in the EEA.
If you currently fall into this category and want to continue processing data in this way, you may need to appoint a European Representative. This representative can be an individual, a company or an organisation established in the EEA. We recommend reading more on the ICO Website or the Government guidance at Gov.uk.
While there is some time before the 1st January 2021, to prepare your business. Some of the changes likely to mean: –
- Update to policy
- EU DPO or representative contact (if where required EU DPO)
- Contract clauses, Data processing agreements, Data sharing agreements update following change to UK legislation
- Standard contractual clauses (or in absence of UK’s adequacy decision)
- Staff training
Meeting Your GDPR Responsibilities After Brexit
We recommend you engage with a GDPR specialist if you think you will need to make changes before 1st January 2021. We are a UK based company and cannot act as a European Representative, but we are perfectly placed to guide you through the process and make recommendations tailored to your business.
Some of the changes mean there is going to be revisiting existing EU customer agreements this can be something we can assist you with.
Reach out to firstname.lastname@example.org or click below for a free consultation on GDPR, Brexit, and your business.Get Your Free Consultation