The UK is set to exit the European Union on 29 March 2019 and there still isn’t an agreed exit deal on the table. So what?

It’s not the regulator that you have to worry about so much as all the service providers in the EU and UK that you work with who might restrict or terminate services if you don’t bring your policies up to date with the changes.

If there is no deal then the UK faces huge disruption to trade, security, medicine availability, travel, workplace regulations and citizenship of UK citizens in other parts of the EU.

What does a no deal Brexit mean for companies outside of the UK and the EU?

Instead of being able to treat all of your business arrangements with the UK and EU the same, you will have to review all arrangements with the UK to make sure they are still applicable, particularly where laws are different, and that is where the whole GDPR issue comes in.

 

red cross over man and woman shaking hands
 

Why is a ‘no deal Brexit’ important for GDPR privacy legislation and who would this effect?

Under the GDPR (General Data Protection Regulations), the UK is currently part of the EU however from 29 March 2019 (or later date if this is extended), the UK will be an independent country and EU laws will no longer take effect.

If a no deal exit happens, the transfer of data between the EU and the UK will be restricted under the GDPR from 29 March 2019. It is possible that the UK will be granted adequacy status (yes, that is a technical term), but this cannot be assessed until after the exit has happened (and will likely take several months). In the meantime, the transfer of personal information from the EU into the UK must be completed using a standard contractual clause (‘SCC’) in the format approved by the EU.

Sounds complicated? Let’s break it down and look at the implications:

No deal Brexit GDPR SCENARIO 1 – Any business relying on the US Privacy Shield for the transfer of personal data into or out of the UK

There is approved wording that needs to be added to the privacy policy of the US entity (yes, the wording is specific) to ensure that the privacy shield takes effect for the transfer of personal data to the UK.

No deal Brexit GDPR SCENARIO 2 – Office in the UK collecting data about citizens in the EU

Examples:

  1. You operate any kind of online membership subscription service that has EU resident subscribers.
  2. You have an online retail store that is open for EU residents to make a purchase.
  3. You provide advisory services and have clients resident in the EU.

For any personal data coming from a country within the European Economic Area (EEA), and Norway, Lichtenstein, Gibraltar, Iceland and any of the countries that have adequacy status (Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, Switzerland, Uruguay), you will need standard contract clauses in place as part of your privacy policies and procedures.

For the benefit of small business, you will now be able to implement geo-blocking without breaching the geo-blocking anti-discrimination regulations.

If you don’t have an office in the EU, you will need to appoint a privacy representative in the EU. There are a few around who offer subscription based services. You will need to appoint someone in a place where you have customers. You can’t just randomly chose a country.

No deal Brexit GDPR SCENARIO 3 – Office in the EU and not the UK

Look carefully at where your data goes. There will no longer be a free flow of data from EU to UK. If you transfer data to the UK then your data subjects (the people who’s personal information you hold) will have to be told that its being transferred. This will require communication to your database.

No deal Brexit GDPR SCENARIO 4 – Business outside the EU and UK, collecting data from EU or UK

When the UK leaves the EU, the GDPR will be incorporated into the UK’s domestic law under the European Union (Withdrawal) Act which came in to effect on 26 June 2018. So not much changes here. You should already have in place a compliant GDPR privacy policy and SCC’s protecting the flow of data of EU citizens. There are small variations in the UK legislation that are different from the GDPR but those variations shouldn’t impact your data processing or control.

What’s the chances of a non-deal Brexit?

In early March 2019 banks are reportedly predicting a 15% change of no deal. Although it doesn’t sound like much of a chance, the ensuing chaos if it does happen has huge consequences. So its better to think about how you might be impacted now, rather than wait for the fallout.

And if there is a deal?

Then there will be a transition period and you will have until 2020 to implement changes.

Think you need GDPR help?

Drop us an email to advice@onyxonlinelaw.com or Contact Us using our contact form and we can help you make any amendments to your GDPR policy and procedures in anticipation of the changes to come.