December 9 2020
Get Ready for Brexit: The Future of UK Data Protection
Industry Insights
James Bosson
Last month, we were fascinated by our monthly virtual GC event in collaboration with LexisNexis and Radius Law. The talk revolved around the rapidly approaching end of the Brexit ‘transition period’, and offered a broad breakdown of what businesses and law firms can expect moving forwards. A summary of the main points can be found in this sizeable blog post.
However, last month’s meeting barely scratched the surface! The end of the Brexit transition period is a big topic, and presents a lot of fresh and interesting challenges to the UK legal industry. Fortunately, a second Brexit-themed event went ahead last week - and delved more deeply into three big areas; Data Protection, Employment Law, and Contract Law. We took feverish notes during the event, and broke each of these areas down into their own blog post.
This post will deal with Data Protection, and is based on information provided by speakers present in the call.
1) UK Data Protection hinges heavily on an upcoming EU adequacy decision
After the UK’s transition period ends, it’s data relationship with the EU will need redefining. This is, unfortunately, still a little unclear. The exact nature of future UK / EU relations will depend heavily on the presently ongoing negotiations - so watch this space.
What we do know, however, is that unless things change after the 31st of December the UK will be considered a ‘third country’ in terms of its relationship with the GDPR. This means that the UK will fall outside of the ‘GDPR zone’ - which will immediately restrict the data that can be passed between from the EU to the UK.
Under GDPR rules, each ‘third country’ outside of the ‘GDPR zone’ may undergo an adequacy assessment by the European Commission to determine whether that country has adequate data handling safeguards in place to maintain the free-flow of data. Think of this as a big data-based risk assessment.
We’re still awaiting this adequacy decision, and they do usually take a number of years to process, so businesses and legal teams should definitely audit their data flows now. If the UK does not receive a favourable adequacy decision, this will significantly impact dataflows from 01.01.21. Accordingly, UK businesses should assess their dataflows as soon as possible and prepare steps to mitigate the impacts of this.
In addition to this, UK businesses may want to consider the possibility of using Standard Contractual Clauses to transfer data to and from the EU. These are, most likely, the best and easiest option to transfer data between the UK and the EU whilst we await the results of the adequacy decision - which has been further complicated in light of the Schrems II decision. Fortunately, these are relatively straightforward and easy to fill out - and the Information Commissioner's office has produced an interactive tool to help you understand how to use them and how they apply to you.
You can read more about European Commission adequacy decisions here on their website.
2) GDPR rules will still largely apply
Once the transition period has passed, and the UK is fully sovereign, it will no longer have to abide by GDPR regulations. Sounds simple, right? Not so fast.
To ease the UK into a new data protection regime, the UK will be incorporating large parts of existing GDPR legislation into its existing data protection law, in line with the Data Protection Act 2018. Think of it as a ‘UK version’ of GDPR. There are a number of changes that have been made, but these are largely superficial tweaks to make sure the UK’s version of GDPR works in a UK context. A fantastic explanation of this can be found in this LexisNexis PSL document.
Another crucial takeaway for businesses and legal teams is to consider who the new regulatory authorities will be for data handling. To this end, LexisNexis have produced a routinely-updated information guide on the current status of UK / EU data transfers under GDPR. Much of the UK’s data protection legislation will be handled by the Information Commissioner’s Office moving forwards. Whilst much of the legislation will remain the same - UK businesses will have to develop a new relationship with this new regulatory authority.
The ICO may operate differently to previous regulatory data authorities you have interacted with previously, so it will well worth familiarising yourself with their guidelines on post-transition period data protection.
3) UK businesses may need an EU representative branch
If you are a business based in the UK, but offering goods or service inside the European Economic Area (EEA) and processing the personal data of EEA residents, you will need a representative branch within the EU moving forwards. Not having one in place could incur significant fines - so this is well worth thinking about sooner rather than later.
There’s still a lot more to consider, however. An EU representative must be appointed in writing, and will have to be explicitly authorised to act on your behalf when dealing with anything to do with EU GDPR. It goes without saying, but information about who this representative is and the nature of their role will need to be included in an updated version of your privacy notice.
So there you have it – an exhaustive breakdown of all the major sticking points facing the changing shape of Data Protection in the UK following Brexit. Hopefully you have found this information useful, and come away with at least a few things to consider!
As can be clearly seen above – there’s a lot that still needs to be prepared in a short space of time! If you’re interested in checking back in with the shifting legal sands after the end of the transition period, then we thoroughly encourage you to register for January’s post-Brexit GC session using this link.
Additional resources:
- The Financial Times: Brexit Articles - If you want to stay informed on the Brexit negotiations, you could do a lot worse than the FT. Their articles are comprehensive, detailed, and fairly impartial.
- LexisNexis Brexit Tools: Our friends at LexisNexis have compiled their Brexit-themed resources and tools, to help those in the legal industry cope with it’s shifting legal sands.
- Gov.uk Transition Resources: This government directory of transition period information is specifically tailored to help UK businesses prepare for the end of the transition period.