The Data Protection implications of Brexit

UK flag and EU Flag as brexit illustration

    Need world class privacy tools?

    Schedule a Call >

    It’s been well documented that the United Kingdom’s membership of the European Union ended on the 31st of January 2020, after which a transitional period commenced ending on the 31st of December 2020.

    There are many areas that needed to be agreed upon during this time including Data Protection and how the transfers of personal data will flow between the EU and the UK as part of the new relationship.

    The UK GDPR

    The UK GDPR will replace the EU’s GDPR at the end of the current transition period at midnight of the 31st of December 2020, with the main difference being to remove the EU references and replace them with British equivalents.

    This regulation will apply to all data controllers and processors who process UK residents’ personal data. Furthermore, any data controllers outside the UK would have to comply with the UK if they are processing data of UK residents. This includes processing activities such as offering goods or services to residents of the UK or to monitoring of their behaviours.

    Any EU citizens living and working in the UK after Brexit will be covered by the UK GDPR and not the European Union’s regulation. A non- UK organisation will need to consider if they are subject to UK data protection laws and appoint a UK based representative if necessary.

    Significant fines will also still apply in the UK GDPR, much like the EU GDPR, for noncompliance. It will be able to administer fines for serious breaches of up of £17.5m or 4% of the annual turnover of an organisation (whichever is higher). For less serious breaches a fine of £8.7m or 2% of turnover can be enforced.

    The EU GDPR After the Transition Period

    The EU’s GDPR will continue to apply to UK data controllers who process the personal data of EU residents. This includes residents in the EU or the monitoring of their behaviours.

    It will also apply to UK based companies who employ EU residents, this scenario may be common in a company based in Northern Ireland employing both Republic and Northern Ireland residents. There are examples of numerous organisations based in Northern Ireland who have workers that commute across the border from their homes in the Republic. In these cases, the employer, who is the data controller, will need to comply with both the UK GDPR and the EU GDPR to protect the personal data of their employees.

    A UK organisation will need to review their data processing activities and consider if they are subject to EU data protection laws and appoint an EU based representative if necessary.

    What happens Next?

    The Brexit trade deal negotiations are ongoing and entering the crucial final months before the end of the transition period. There is still no definite clarity on the outcome yet. However, there are currently multiple scenarios as to how a future relationship would look like in terms of Data Protection from January 1st, 2021.

    Scenario 1- A Deal is Agreed: is what most data controllers and processors will likely be hoping for. A deal is struck that includes a Data transfer arrangement that recognizes the UK as a country with an “Adequate” Data Protection regime.

    Scenario 2- No Trade Deal but an Agreement on Data Transfers: would also be positive news for data controllers and processors. No overall deal is struck; however, an arrangement is made to continue cross flows of data.

    Scenario 3- No Deal: is the outcome that controllers and processors will not want. No deal is agreed, and the UK becomes a “Third country” with no adequacy decision. This is the scenario that EU based organisations and businesses will need to carefully plan for.

    Scenario 4- The Transition Period is Extended: is the most unlikely but not impossible, transition period is extended.

    To learn more about these possible scenarios post the transition period as well as adequacy in the GDPR and the challenges the UK Face to receive an adequacy decision, Standard Contractual Clauses, Binding Corporate Rules, Derogations etc Sytorus have a free “Brexit Implications for Data Protection” 20 minute training module with a questionnaire at the end. You can access the module by clicking on the link below and filling out the form:

    Share this

    Try PrivacyEngine
    For Free

    Learn the platform in less than an hour
    Become a power user in less than a day

    PrivacyEngine Onboarding Screen