Brexit and Data Protection

Tom Crellin Blog
UK And EU Flag On Computer Keyboard

The cabinet has today announced that it is ramping up preparations for a no-deal Brexit.  This includes advising businesses to activate their own no-deal contingency plans.  However, the political landscape remains very unclear and it would seem that the only certain thing about Brexit is uncertainty.  What does Brexit mean for data protection? What about the work that companies have put into GDPR compliance in 2018?

Data in the UK

Data protection legislation in the UK is currently a combination of the EU General Data Protection Regulations (GDPR) and the UK Data Protection Act 2018 (DPA).  The UK Act parallels the GDPR and will remain in place regardless of what happens with Brexit.  The government plans to bring all applicable parts of GDPR into UK law as part of Brexit.  Therefore, investment in GDPR compliance is not wasted.  The same framework will underpin UK data protection law for the foreseeable future.

In short, for data that you collect and keep in the UK, Brexit brings no significant change. 

Data outside of Europe

Similarly, regulations for data flows outside the European Economic Area (EEA) are likely to remain much the same. The Information Commissioner expects that the UK government will replicate the existing EU adequacy and standard contract clause arrangements.

Almost all small businesses in the UK rely to some extent on the big four cloud companies: Amazon, Apple, Google and Microsoft.  Even if it is just to sync contacts or email on a mobile phone.  These are American companies  and so the status of the US Privacy Shield arrangements could have a huge impact.  At present, there is no UK equivalent of Privacy Shield but the UK government “intends to make arrangements”.  Unsurprisingly, the big four are not content to wait for these arrangements nor to risk their UK business.  This is why, for example, Google is changing its terms of service next month so that your contract is with Google Ireland Ltd, not the USA-based corporation.

Tilst the UK still has a lot to do to ensure that current non-EEA arrangements are replicated in the UK.  It is reasonable to assume, though,  that any transition period will be afforded grace by the UK authorities. So business as usual is a reasonable plan

Data transfers with Europe

The UK government has stated that it will not restrict transfers of data to the EEA.  You can therefore continue to share data with service-providers based in other EU/EEA countries on the same terms as you do now.

However, the picture for European companies wishing to share data with you is much less clear.  The UK will seek approval as an “adequate” country by the EU but this process takes time. (Japan and South Korea began the process more than two years ago).  Without an adequacy decision, EU companies will need to put binding agreements in place before they can share data with you.  These will either be in the form of standard contract clauses (SCC) or binding corporate rules (BCR).  SCCs apply where the organisations sharing data are separate entities. BCRs apply where the organisations are part of a group.

If you are in the position of receiving personal data from an EU organisation, then it would be wise to negotiate an appropriate binding agreement now so that it can be already in force before the 29th March.  If your organisation requires BCRs, then these need to be approved by the ICO.  You should work on the assumption that the approval process will not be complete by 29th March. So you will need contingency plans in place for continuing to trade without importing this data to the UK.

There is detailed information on international data transfers on the ICO website.  For specific advice tailored to your organisation, contact Tom Crellin Consultant.