Privacy and Data Protection Research Writer at TermsFeed.
On this page
- 1. Understanding the Privacy Implications of Brexit
- 1.1. Will the UK Receive an Adequacy Decision?
- 1.2. Will the GDPR Continue to Apply in the UK Post-Brexit?
- 1.3. What is the UK GDPR?
- 1.4. Will the UK Data Protection Act 2018 Still Apply?
- 2. Facilitating EEA/UK Data Transfers
- 3. Appointing an EU Representative
- 5. Choosing a New Lead Supervisory Authority
- 6. Summary of Your Brexit Transition Privacy Checklist
The data protection aspects of Brexit have received relatively little attention in the mainstream press. But data is a crucial consideration for every business with customers, clients, or business partners in the European Economic Area (EEA).
At the time of writing, there's still a lot of uncertainty about what will happen on January 1, 2021. Many businesses are "in limbo" and eagerly awaiting news about tariffs, customs checks, and deregulation.
However, when it comes to ensuring you can still receive personal data from the EEA next year, it's possible to prepare for a "worst-case scenario" without significant costs.
This article will help you get ready for the end of the transition period, whether or not the UK has secured a free trade agreement.
At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
Understanding the Privacy Implications of Brexit
In preparing for the end of the transition period,your first task is to understand how the UK's data protection framework could change.
Below, we've answered some frequently asked questions about the privacy implications of Brexit.
Will the UK Receive an Adequacy Decision?
The EU's "adequacy" framework determines which countries can freely receive personal data from data controllers in the EEA (which includes the 27 EU countries plus Iceland, Liechtenstein, and Norway). There are 12 countries on the adequacy list, including Japan, Canada and New Zealand.
The EU has not yet determined whether the UK will be an "adequate" third country after the end of the transition period. It is by no means clear that the UK will receive an adequacy decision.
Some commentators argue that if the EU and the UK successfully negotiate a free trade agreement, the EU will grant the UK an adequacy decision as part of this agreement.
But the UK may leave the EU without a free trade agreement or an adequacy decision. In this scenario, businesses that have not prepared will face difficulties maintaining the flow of personal data from the EEA to the UK.
With many unanswered questions remaining and very little time remaining, the UK government strongly recommends preparing for a "no-deal" and "no adequacy decision" scenario. Our transition checklist will help you do this.
Will the GDPR Continue to Apply in the UK Post-Brexit?
The UK will continue to apply the same data protection standards from January 1, 2021. Data protection and privacy will continue to be regulated by the UK's Data Protection Authority, the Information Commissioner's Office (ICO).
However, there will be some major changes to how data protection law will work and how UK and EEA businesses exchange personal data. This includes the repealing of the "EU GDPR" and the taking effect of the "UK GDPR."
What is the UK GDPR?
The UK GDPR is the UK's version of the GDPR that will apply from January 1, 2021. The government will be able to amend the UK GDPR but, at first, it will remain the same in key areas, such as:
- Principles of data processing
- Data subject rights
- Lawful bases for processing
This means UK businesses will need to continue applying the same data protection standards after the end of the transition period.
The amendments to the UK GDPR are published in a "Keeling Schedule," available on the UK government's website, to help people keep track of the changes. Here's an example of the types of changes that have been made (at page 5 of the Keeling Schedule):
In the image above, you can see how references to "the Union" have been replaced by references to "the United Kingdom." References to "Member State law," meaning the law of an EU country, have been replaced by references to "domestic law," meaning UK law.
Will the UK Data Protection Act 2018 Still Apply?
The UK Data Protection Act 2018 (DPA 2018) will continue to apply in the UK after the end of the Brexit transition period. It sits alongside the UK GDPR.
Some parts of the DPA 2018 have also been amended to reflect the incorporation of the GDPR into UK law as the UK GDPR, to remove references to the EU, and to implement the UK's adequacy framework.
The amendments to the DPA 2018 are also available in a Keeling Schedule. Here's an example of some of the recent amendments to the DPA 2018 (at page 129 of the Keeling Schedule):
In the image above, you can see changes to the rules around how the ICO must coordinate with EU DPAs now that the ICO is no longer a member of the European Data Protection Board (EDPB).
These changes are unlikely to affect most small and medium-sized businesses, but it's important for all businesses to understand the fundamental changes occurring to the legal framework of the UK due to Brexit.
Facilitating EEA/UK Data Transfers
Data transfers from the EU to the UK have been unaffected throughout the transition period. But once the transition period ends, things may get more complicated.
This section applies to data flows from the EEA to the UK, meaning:
- UK controllers or processors receiving personal data from EEA controllers, and
- EEA controllers sending personal data to UK controllers or processors
Data flows in the opposite direction (from the UK to the EEA) will be mostly unaffected by Brexit.
If you aren't sure whether your business is a controller or a processor, see our article GDPR Data Controller vs. Data Processor.
To ensure that personal data is protected once it leaves the EEA, EEA-based data controllers are only allowed to transfer personal data to non-EEA controllers and processors under one of the following conditions:
- The receiver is located in a country subject to an adequacy decision
- The transfer is subject to a written agreement containing standard contractual clauses (SCCs) adopted by the European Commission
- The transfer is subject to a set of binding corporate rules (BCRs)
- One of the GDPR's limited derogations for exceptional situations applies
As explained above, you cannot assume that the UK will receive an adequacy decision. Therefore, UK businesses receiving personal data from EEA businesses will need to rely on one of the other three safeguard options.
The onus is on the sender of personal data (i.e., the EEA-based controller) to ensure that personal data is protected during and after the transfer. However, the receiver will also want to ensure that the transfer is legally compliant.
For most businesses, the most appropriate choice of safeguard is likely to be option 2: SCCs.
This means UK businesses that receive personal data from the EEA and EEA businesses that send personal data to the UK must ensure:
- There is a written contract covering the transfer/ongoing transfers
- The contract contains one of the sets of SCCs adopted by the European Commission
- Both businesses have assessed whether the SCCs are sufficient to safeguard the personal data
- If the SCCs are not sufficient, the businesses have implemented supplementary safeguards
For more information on using SCCs, see our article Using Standard Contractual Clauses.
It may also be possible to rely on option 4 (derogations) for one-off transfers. The EEA-based sender of the personal information will need to determine whether this would be lawful in each case.
For more information on all other data transfer safeguard options, including the exceptions to the GDPR's data transfer rules, see our article Transferring Personal Data Out of the EU.
Appointing an EU Representative
The EU requires some non-EEA organizations to designate an "EU representative," who will act as their legal presence in the EEA.
This section applies to UK businesses that are not established in the EEA, and:
- Offer goods and services to EEA consumers, or
- Monitor the behavior of people in the EEA
If you aren't sure whether you "are established in the EEA," "offer goods and services in the EEA," or "monitor the behavior of people in the EEA," see our article How EU and U.S. Privacy Laws Apply to Foreign Businesses.
Not all UK companies will need to appoint an EU representative, even if they do meet the conditions above. Your business might not need to appoint an EU representative if it meets all of the following three conditions:
- It only occasionally processes personal information
- It doesn't process personal information in a way that is likely to result in a risk to the "rights and freedoms" of people in the EEA, and
- It doesn't process large amounts of "special category" (sensitive) data or criminal records data
An EU representative is your company's main contact for EEA consumers and DPAs. They can be called before an EEA court if you violate the GDPR. They can also help keep records of your EEA data processing.
Your EU representative can work directly for your company, or they may be a contractor or agency worker. In fact, anyone can be your EU representative, as long as they meet the following three conditions:
- They have a legal presence in an EEA country
- They speak an EEA language
- They are not your Data Protection Officer (assuming you have one)
Appoint your EU representative in whichever EEA country your business has the most significant presence.
You'll need to appoint your EU representative in writing.
For more information about how to do this, see our article GDPR Appointment of EU Representative Letter.
- The relevant laws that apply to your processing of personal data (i.e. the UK GDPR and the DPA 2018)
- Any changes you have made due to Brexit (e.g. information about your data transfer safeguards)
- Details of your EU representative
Choosing a New Lead Supervisory Authority
The one-stop shop mechanism (OSS) applies to businesses that engage in cross-border transfers of personal data within the EEA.
This section is relevant to businesses that are:
- Based in the UK
- Established in the EEA
- Engaged in cross-border processing of personal data between EEA member states
For example, if you are based in the UK, have an office in France, and have customers in multiple EEA countries.
If a data protection issue arises concerning multiple EEA countries, the OSS mechanism means that an EEA business will only need to deal with the DPA in its "main establishment." This main establishment DPA is known as the company's "lead supervisory authority." The OSS thus saves businesses operating in more than one EEA country from dealing with multiple DPAs.
Brexit means that the ICO may stop participating in the OSS. This means that if the ICO is your lead supervisory authority, you may need a different DPA to act as your lead supervisory authority after the end of the transition period.
Whilst it is not strictly possible to choose your LSA, you should try to determine which EEA country is your main establishment so that you know who to approach in the event of an incident concerning your cross-border processing activities.
The Article 29 Working Party states that your main establishment is the EEA country in which your "central administration" is located. This has a slightly different meaning for controllers and processors.
For controllers, the central administration is: "where decisions about the purposes and means of the processing of personal data are taken" and which "has the power to have such decisions implemented."
For processors, the central administration is: "where the main processing activities take place."
Once you know where your central administration, and thus your main establishment, is located, you will know which DPA to approach if you suffer a data breach or need to consult on a data protection impact assessment (DPIA).
Summary of Your Brexit Transition Privacy Checklist
To prepare for the end of the UK's transition out of the EU, you may need to take one of more of the following steps:
- Familiarize yourself with the UK's post-Brexit data protection legal framework
- Set up a data transfer safeguard mechanism for any personal data you receive from controllers in the EEA
- Appoint an EU representative established in an EEA country
- Consider whether you need to choose a new lead supervisory authority under the one-stop shop mechanism