Brexit Data Protection Issues for United Kingdom

The result of the British referendum and the decision to leave EU was probably the most discussed issue this month. Many authors tried to determine, what would be the impact of Brexit.

The article gives an overview of the conclusions that are common for the majority of them. Then, it describes the ways, in which the EU General Data Protection Regulation would still have an effect on the UK. Finally, it outlines the possibilities of data protection regimes based on the different options for UK-EU relations.

Here is the list of the conclusions that are common for the majority of authors:

• Brexit does not have any immediate effect on the data protection regime right now
• New General Data Protection Regulation will come into full force on May 2018, the Referendum does not change the fact. ”Unless the UK and the EU reach an agreement as to the status of UK data protection law (i) prior to 25 May 2018, there will be a period of time between 25 May 2018 and the Exit Date when the GDPR will become law the UK and (ii) after Exit Day, the GDPR will (without more) cease to be effective in the UK.” (source)
• No matter what happens during the Brexit negotiations, “the UK will remain part of the Council of Europe and its 1981 Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108) will continue to impose obligations on the UK with regard to data protection)” (source)

Even after the Exit day, the General Data Protection Regulation would still have an impact on the United Kingdom in many different ways (source):

• the GDPR is extra-territorial in effect – controllers and processors who are outside the EU (which will include the UK post Exit Day) are subject to its rules if the data they process relates to an individual in the EU when goods or services are being offered to that individual or where monitoring of their behaviour (online behavioural advertising) takes place in the EU
• multi-national companies will need to comply with the GDPR in other EU countries, therefore, compliance in the UK should form part of the EU-wide compliance programme
• from a contractual perspective, entities that allow third parties to process personal data will expect those entities to treat data from any EU country in the same way. Therefore, the requirements of the GDPR will still apply for UK processors

This is an overview of data protection consequences of different options for UK-EU negotiations (source):

• the EEA option: under which the UK joins the EEA and is legally obliged to implement GDPR;
• the Swiss option: under which the UK would likely have to implement GDPR-type obligations to secure a trade deal;
• the WTO option: under which the UK may also have to implement GDPR-type obligations to secure a trade deal.
• UK could try to negotiate its own form of Privacy Shield to secure adequacy status

What are the UK companies supposed to do now?

The article at JD Supra includes these guidelines:

• Continue to comply with all current UK data protection law;
• Don’t make any hasty decisions about reconfiguring corporate structure or moving data centres;
• Plan for GDPR implementation;
• Many businesses are considering using GDPR-readiness exercises as a “stepping stone” towards a full Binding Corporate Rules application;
• If you’re a vendor/data processor, consider a BCRs for Processors application following any GDPR readiness exercise;
• Track the political developments, although we are unlikely to get much clarity on this for at least a few months.