UK and EU businesses that share personal data must take appropriate steps to keep their operations running smoothly after Brexit, whether the UK leaves the EU with or without a deal.
Continuing GDPR compliance may or may not be top of your Brexit agenda. But processing personal data underpins many of your business activities. Failing to prepare for Brexit could lead to you breaking data protection law.
We're going to separate some myths from reality and consider what steps you should take to mitigate the impact of Brexit on this aspect of your business.
Note that we've produced this guidance for UK and EEA businesses. US businesses operating in the UK should read "Privacy Policy for Brexit."
TermsFeed is the world's leading generator of legal agreements for websites and apps. With TermsFeed, you can generate:
- 1. Will the GDPR Still Apply in the UK After Brexit?
- 2. Possible Brexit Scenarios
- 2.1. Leaving With a Deal (Withdrawal Agreement)
- 2.2. Leaving Without a Deal ("No-Deal" Brexit)
- 2.3. Remaining in the EU
- 3. Definitions
- 4. UK/EEA Data Transfers After Brexit
- 4.1. Which Businesses Need to Put Safeguards In Place?
- 4.2. Which Businesses Will Not Need to Put Safeguards In Place?
- 4.3. What About EEA/UK Customers?
- 4.4. How Soon Do I Need to Have Safeguards in Place?
- 5. How to Put Safeguards in Place
- 5.1. Standard Contractual Clauses
- 5.2. What About Binding Corporate Rules?
- 5.3. One-Off Transfers
- 5.3.1. Consent
- 5.3.2. Contract
- 5.3.3. Legitimate Interests
- 6. Updating Your Privacy Policy
- 7. Summary
Will the GDPR Still Apply in the UK After Brexit?
After Brexit, the UK will no longer be directly subject to EU regulations. However, there are confirmed plans to bring the General Data Protection Regulation (GDPR) into UK law. Therefore, the GDPR will still apply in the UK after Brexit.
The UK also has a national law called the Data Protection Act 2018, which implements parts of the GDPR into UK law and sets exemptions from particular aspects of the GDPR. There are no plans to amend or repeal the Data Protection Act after Brexit.
This means that data protection standards in the UK will not change after Brexit.
Possible Brexit Scenarios
Let's briefly look at the three most likely Brexit scenarios. Then we'll consider how these scenarios might affect UK businesses in terms of data protection.
Leaving With a Deal (Withdrawal Agreement)
The UK could leave the EU with a deal. The UK and the EU have agreed on a deal, but it hasn't yet been ratified by the UK Parliament. The UK Parliament must ratify any Brexit deal before it can be put in place.
The EU has agreed to extend the Brexit deadline until January 31st, 2020. Therefore, unless there is a further extension, the UK must leave the EU on this date, with or without a deal in place.
The UK could leave earlier January 31st, 2020 if a deal is ratified by the UK Parliament before this date.
Leaving Without a Deal ("No-Deal" Brexit)
The UK could leave the EU without a deal, also known as a "no-deal" Brexit. This would mean leaving the EU without any formal arrangements in place to regulate the UK-EU relationship.
No-deal Brexit is unlikely to occur before January 31st, 2020.
Remaining in the EU
It's still possible that Brexit won't happen at all.
There will be a general election in the UK in December of 2019. This could completely change the political landscape of the UK and could even lead to Brexit being reversed.
There are also calls for a second referendum, meaning that the UK public would be asked to reconsider its decision to leave the EU.
However, it seems increasingly likely that the UK will leave the EU. On this basis, you should plan for Brexit.
Definitions
Here's some of the terminology we'll be using throughout this article:
- EEA - The European Economic Area (EEA) is the area over which the GDPR applies, containing all 28 EU Member States, plus Norway, Lichtenstein, and Iceland.
- Business - In this article, we're using the term "business" as a shorthand for any data controller or data processor. This can be an individual, organization, non-profit, etc.
- Transfer - The GDPR places special rules on international transfers of personal data from inside the EEA to third countries. When the UK leaves the EU (and EEA), transfers from EEA countries to the UK will become international transfers.
UK/EEA Data Transfers After Brexit
Certain UK and EEA businesses should put safeguards in place to ensure they can continue transferring personal data after Brexit.
Which Businesses Need to Put Safeguards In Place?
There are two types of businesses that need to put data protection safeguards in place to prepare for Brexit:
- UK businesses that receive personal data from EEA businesses
- EEA businesses that send personal data to UK businesses
In other words, Brexit will affect personal data transfers from the EEA to the UK.
Here are some examples:
- A UK hotel chain that receives details about guests from a Spanish travel agent
- A UK publisher that recruits German translators via a German recruitment agency
- A Polish school that sends details about exchange students to a UK school
- A Norwegian that uses a centralized HR department run by its parent company in the UK
Which Businesses Will Not Need to Put Safeguards In Place?
There are several types of businesses that will not need to put data protection safeguards in place to prepare for Brexit. For example:
- UK businesses that send personal data to EEA businesses
- EEA businesses that receive personal data from UK businesses
Brexit will not affect personal data transfers from the UK to the EEA. The UK government has stated that it will not restrict personal data transfers to the EEA after Brexit.
What About EEA/UK Customers?
These new rules don't apply where you're collecting personal data directly from customers or other individuals. Collecting personal data directly from the "data subject" is not considered a transfer of personal data.
UK businesses with customers in the EEA should already be processing their EEA customers' personal data in compliance with the GDPR. There shouldn't be any change to this requirement after Brexit.
Similarly, EEA businesses with customers in the UK should already be processing their UK customers' personal data in compliance with the GDPR. Again, there shouldn't be any change to this requirement after Brexit.
How Soon Do I Need to Have Safeguards in Place?
If the UK leaves the EU with a deal, data transfers from EEA businesses to UK businesses should remain as normal until at least the end of 2020.
Throughout this transition period, the European Commission will be deciding whether the UK should be an "approved third country." Being an approved third country would mean UK and EEA businesses could continue transferring personal data into the UK as normal.
So, if the UK leaves with a deal, one of two things should happen towards the end of 2020:
- The UK becomes an approved third country. In this case, UK and EEA businesses would be able to continue transferring personal data into the UK as normal.
- The UK does not become an approved third country. In this case, UK and EEA businesses would need to have safeguards in place to continue transferring personal data to the UK.
Note that there is no guarantee that the UK will become an approved third country. Certain aspects of UK data protection law are controversial within the EU.
If the UK leaves the EU without a deal, which could happen as soon as January 31st, 2020, there will be no transition period. The UK will cease to be an EEA country, and it will not be an approved third country.
In the event of a no-deal Brexit, UK businesses will need to have safeguards in place on Brexit day to continue receiving personal data from EEA businesses.
Therefore, affect UK and EEA businesses should put safeguards in place as soon as possible.
How to Put Safeguards in Place
The GDPR identifies several types of safeguards that allow EEA businesses to transfer personal data to non-EEA businesses. Affected businesses should ensure they are using one of these safeguards to continue transferring personal data into the UK.
Technically, the onus is on EEA businesses to put safeguards in place in time for Brexit. However, UK businesses should also take proactive steps to ensure that data transfers from the EEA remain lawful after Brexit.
Standard Contractual Clauses
Standard Contractual Clauses (SCCs) are specific terms that can be included in a contract between two businesses to make third-country data transfers lawful.
SCCs are legally binding. They ensure businesses receiving personal data will only process it in accordance with the GDPR.
For most businesses, SCCs will be the most appropriate safeguard. UK and EEA businesses need to:
- Draw up a contract containing SCCs, or insert SCCs into an existing contract, and
- Arrange for both parties to sign the contracts and retain signed copies
The Information Commissioner's Office (ICO), the UK's Data Protection Authority, provides some template contracts containing SCCs and guidance for businesses on how to use them.
To ensure you're using the correct set of SCCs, you need to understand the concepts of data controller and data processor.
- SCCs for contracts between two data controllers
- SCCs for contracts between a data controller and a data processor
SCCs are officially approved by the European Commission and must not be altered.
What About Binding Corporate Rules?
Binding Corporate Rules (BCRs) are another type of safeguard for facilitating third-country personal data transfers.
BCRs are only suitable for multinational corporations and enterprise groups. Therefore, they are not suitable for most businesses.
Further guidance about BCRs is available from the ICO.
One-Off Transfers
There may be one-off situations in which a UK business needs to receive personal data from the EEA, or an EEA business needs to send personal data to the UK.
The GDPR does allow for "occasional" third-country transfers that are not covered by SCCs or BCRs. However, certain conditions need to apply. Let's look at the three exceptions most likely to apply to your business.
Consent
If an EEA business needs to transfer an individual's personal data to a UK business without any safeguards in place, the transfer can still take place if the individual consents to it.
Consent under the GDPR is subject to very strict rules. The rules are even stricter when it comes to third-country transfers.
You must provide a lot of information to the individual when asking them if they consent to the transfer. Here's a list of all the relevant information, from the ICO:
If the individual explicitly consents, then the transfer can take place. Make sure you keep a record of the consent.
Contract
An EEA business might need to transfer an individual's personal data to a UK business in order to fulfill contractual obligations to that individual, or in order to enter into a contract with that individual.
This exception is designed to avoid breach of contract. If the transfer is truly necessary to fulfill the terms of the contract, then the EEA business can make the transfer without any safeguards in place.
This exception can also cover other beneficiaries of a contract.
Legitimate Interests
As an absolute last resort, an EEA business may be able to argue that it's in its legitimate interests to transfer personal data to a UK business. This would require the business to carry out a Legitimate Interests Assessment.
The EEA business must inform its Data Protection Authority if it plans to make a transfer covered by this exemption.
Updating Your Privacy Policy
You must update your Privacy Policy to let your customers know about your new data transfer arrangements.
Here's an excerpt from YouGov's Privacy Notice, which explains how the company uses SCCs:
Summary
It's hard to predict exactly how data protection arrangements will look after Brexit. Here are some of the possibilities:
The UK is due to leave the EU on January 31st, 2020. The UK could leave the EU with or without a deal.
- If the UK leaves with a deal, the European Commission will begin the process of deciding whether the UK is an "approved third country."
- There will be a transition period while this process takes place. Businesses can continue transferring personal data as normal throughout this time. This process should be completed by the end of 2020.
- If the Commission decides that the UK is an approved third country, businesses can continue transferring personal data as normal indefinitely.
- If the Commission decides that the UK is not an approved third country, affected businesses should have safeguards in place to continue lawfully transferring personal data.
- There will be a transition period while this process takes place. Businesses can continue transferring personal data as normal throughout this time. This process should be completed by the end of 2020.
- If the UK leaves without a deal, it will immediately become a non-approved third country. Affected businesses should have safeguards in place to continue lawfully transferring personal data.
The following types of business should put safeguards in place to prepare for Brexit:
- UK businesses that receive personal data from EEA businesses
- EEA businesses that send personal data to UK businesses
Most businesses should use Standard Contractual Clauses (SCCs) to safeguard personal data transfers after Brexit.
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.
