The past two years of Brexit negotiations have largely proved the late William Goldman’s adage that “nobody knows anything”. No one can tell you what Brexit will entail, very little has been finalised and there’s a real possibility that the UK will exit the EU without a formal agreement.
Amid all this uncertainty, you might be surprised to learn that that the UK government does have a plan for protecting personal data if the UK can’t negotiate a deal by 29 March 2019.
“Data protection if there’s no Brexit deal” outlines what will happen in that scenario, reflecting the reality that the free flow of personal data between the UK and the EU is vital to maintaining the relationships that are essential to the economy and security.
The ‘No Deal’ framework
The European Union (Withdrawal) Act 2018 will incorporate the GDPR (General Data Protection Regulation) into UK law post Brexit. The government will then have the power to make appropriate amendments to ensure that it works effectively in a UK context.
The UK government’s website provides a full list of amendments to UK data protection law in the event of a no-deal Brexit.
- Data controllers and data subjects: The responsibilities of data controllers will remain the same, and data subjects will continue to benefit from the same high levels of data protection as they do now.
- Data transfers from the UK to EEA (European Economic Area) countries: The UK will “transitionally recognise” all EEA countries (and Gibraltar) as providing an adequate level of protection for personal data, allowing organisations to transfer data freely. The UK would keep all of these decisions under review.
- Data transfers from the EU to the UK: Each EU member state will have to provide their own rules for transferring data to the UK. Organisations in the UK that rely on data transfers from the EU should work with their EU counterparts to make sure alternative mechanisms for transfers (such as standard contractual clauses) are in place.
- Existing EU adequacy decisions: The UK government intends to preserve the effect of adequacy decisions made regarding a country or territory outside the EU. This means that transfers from UK organisations to adequate countries can continue uninterrupted. The EU Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US (limited to the Privacy Shield framework).
- Recognising EU SCCs (Standard Contractual Clauses): Provisions will be made so that the use of SCCs that have previously been issued by the European Commission will continue to be an effective basis for international data transfers from the UK. Under the proposed regulations, the ICO (Information Commissioner’s Office) will have the power to issue new SCCs after the UK leaves the EU.
- BCRs (Binding Corporate Rules): Existing BCRs will continue to be recognised after Brexit, and the ICO will retain its ability to authorise them.
- Maintaining the GDPR’s extraterritorial scope: The GDPR applies to all organisations that process EU residents’ information, regardless of where they are based. The UK government will retain this scope regardless of whether a Brexit deal has been reached.
- UK representation for controllers: The UK government will replicate the GDPR’s requirements for controllers based outside the EEA to designate an EEA representative.
As this list shows, things won’t change too much in the event of a no-deal Brexit, but one big requirement is the need for an EEA-based representative.
Find out more
To learn more about our range of tools and protecting your organisation from a data breach, watch our short introductory videos: vsRisk Cloud, the Data Flow Mapping Tool, the DPIA Tool and Compliance Manager. And to pre-register for our new solution GDPR Manager, click here.
To request a demonstration of any of our tools, please click here.