The cabinet has today announced that it is ramping up preparations for a no-deal Brexit. This includes advising businesses to activate their own no-deal contingency plans. However, the political landscape remains very unclear and it would seem that the only certain thing about Brexit is uncertainty. What does Brexit mean for data protection? What about the work that companies have put into GDPR compliance in 2018?
Data in the UK
Data protection legislation in the UK is currently a combination of the EU General Data Protection Regulations (GDPR) and the UK Data Protection Act 2018 (DPA). The UK Act parallels the GDPR and will remain in place regardless of what happens with Brexit. The government plans to bring all applicable parts of GDPR into UK law as part of Brexit. Therefore, investment in GDPR compliance is not wasted. The same framework will underpin UK data protection law for the foreseeable future.
In short, for data that you collect and keep in the UK, Brexit brings no significant change.
Data outside of Europe
Similarly, regulations for data flows outside the European Economic Area (EEA) are likely to remain much the same. The Information Commissioner expects that the UK government will replicate the existing EU adequacy and standard contract clause arrangements.
Almost all small businesses in the UK rely to some extent on the big four cloud companies: Amazon, Apple, Google
Tilst the UK still has a lot to do to ensure that current non-EEA arrangements are replicated in the UK. It is reasonable to assume, though, that any transition period will be afforded grace by the UK authorities. So business
Data transfers with Europe
The UK government has stated that it will not restrict transfers of data to the EEA. You can
However, the picture for European companies wishing to share data with you is much less clear. The UK will seek approval as an “adequate” country by the EU but this process takes time. (Japan and South Korea began the process more than two years ago). Without an adequacy decision, EU companies will need to put binding agreements in place before they can share data with you. These will either be in the form of standard contract clauses (SCC) or binding corporate rules (BCR). SCCs apply where the
If you are in the position of receiving personal data from an EU organisation, then it would be wise to negotiate an appropriate binding agreement now so that it can be already in force before the 29th March. If your organisation requires BCRs, then these need to be approved by the ICO. You should work on the assumption that the approval process will not be complete by 29th March. So you will need contingency plans in place for continuing to trade without importing this data to the UK.