The UK is set to exit the European Union on 29 March 2019 and there still isn’t an agreed exit deal on the table. So what?
It’s not the regulator that you have to worry about so much as all the service providers in the EU and UK that you work with who might restrict or terminate services if you don’t bring your policies up to date with the changes.
If there is no deal then the UK faces huge disruption to trade, security, medicine availability, travel, workplace regulations and citizenship of UK citizens in other parts of the EU.
What does a no deal Brexit mean for companies outside of the UK and the EU?
Instead of being able to treat all of your business arrangements with the UK and EU the same, you will have to review all arrangements with the UK to make sure they are still applicable, particularly where laws are different, and that is where the whole GDPR issue comes in.
Why is a ‘no deal Brexit’ important for GDPR privacy legislation and who would this effect?
Under the GDPR (General Data Protection Regulations), the UK is currently part of the EU however from 29 March 2019 (or later date if this is extended), the UK will be an independent country and EU laws will no longer take effect.
If a no deal exit happens, the transfer of data between the EU and the UK will be restricted under the GDPR from 29 March 2019. It is possible that the UK will be granted adequacy status (yes, that is a technical term), but this cannot be assessed until after the exit has happened (and will likely take several months). In the meantime, the transfer of personal information from the EU into the UK must be completed using a standard contractual clause (‘SCC’) in the format approved by the EU.
Sounds complicated? Let’s break it down and look at the implications:
No deal Brexit GDPR SCENARIO 1 – Any business relying on the US Privacy Shield for the transfer of personal data into or out of the UK
No deal Brexit GDPR SCENARIO 2 – Office in the UK collecting data about citizens in the EU
- You operate any kind of online membership subscription service that has EU resident subscribers.
- You have an online retail store that is open for EU residents to make a purchase.
- You provide advisory services and have clients resident in the EU.
For any personal data coming from a country within the European Economic Area (EEA), and Norway, Lichtenstein, Gibraltar, Iceland and any of the countries that have adequacy status (Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, Switzerland, Uruguay), you will need standard contract clauses in place as part of your privacy policies and procedures.
For the benefit of small business, you will now be able to implement geo-blocking without breaching the geo-blocking anti-discrimination regulations.
If you don’t have an office in the EU, you will need to appoint a privacy representative in the EU. There are a few around who offer subscription based services. You will need to appoint someone in a place where you have customers. You can’t just randomly chose a country.
No deal Brexit GDPR SCENARIO 3 – Office in the EU and not the UK
Look carefully at where your data goes. There will no longer be a free flow of data from EU to UK. If you transfer data to the UK then your data subjects (the people who’s personal information you hold) will have to be told that its being transferred. This will require communication to your database.
No deal Brexit GDPR SCENARIO 4 – Business outside the EU and UK, collecting data from EU or UK
What’s the chances of a non-deal Brexit?
In early March 2019 banks are reportedly predicting a 15% change of no deal. Although it doesn’t sound like much of a chance, the ensuing chaos if it does happen has huge consequences. So its better to think about how you might be impacted now, rather than wait for the fallout.
And if there is a deal?
Then there will be a transition period and you will have until 2020 to implement changes.
Think you need GDPR help?
Drop us an email to email@example.com or Contact Us using our contact form and we can help you make any amendments to your GDPR policy and procedures in anticipation of the changes to come.