As we hurriedly approach the March 2019 Brexit deadline, organisations in the United Kingdom and abroad are still ironing out the wrinkles in their new data protection standards and policies.
With looming Brexit deadlines creating economic uncertainty, how can organisations maintain General Data Protection Regulation ((EU) (2016/679)) (GDPR) compliance and what impact will Brexit have on organisational data policies?
Brexit and GDPR timeline
The GDPR received European Parliamentary approval in April 2016 with the backing of the United Kingdom. Just months following this approval, the United Kingdom voted in favour of leaving the European Union (EU), formally starting Brexit procedures in March 2017.
The GDPR became directly applicable in EU member states from 25 May 2018 onwards, of which the United Kingdom was and continues to be included until formal withdrawal has occurred.
In the United Kingdom, the Data Protection Act 2018 (DPA 2018) received Royal Assent just 2 days prior to the GDPR regulations taking effect. The DPA 2018 is designed to supplement the GDPR and to ensure that the UK maintains GDPR principles post-Brexit.
If the UK and the EU ratify a withdrawal agreement by 29 March 2019, the UK will leave the EU on the date specified in the withdrawal agreement. Current negotiations have this withdrawal date as 30 March 2019 with a transitional period until 31 December 2020. However, if the UK and the EU do not conclude a withdrawal agreement by 29 March 2019, the withdrawal will still take effect on 29 March 2019 with no transitional period unless the European Council (acting unanimously) and the United Kingdom agree to extend the two-year period.
The European Union (Withdrawal) Act 2018 will incorporate operative ‘direct EU legislation’ as part of domestic law on or after the withdrawal date. This means that the GDPR will remain in force within the UK and that the UK data protection environment will continue to be subject to the GDPR supplemented by the DPA 2018 regardless of whether there is a Withdrawal Agreement reached.
So if the GDPR remains operative in the United Kingdom, what will be the specific risks of GDPR compliance post-Brexit?
Upon the United Kingdom’s departure from the EU it will become a ‘third country’ for the purposes of EU law (depending on a Withdrawal Agreement, this may occur on the withdrawal date or at the end of any transition period). A third country is a country other than the EU member states and the three additional EEA countries (Norway, Iceland and Liechtenstein). A change in status will mean United Kingdom data protection legislation needs to stand up to scrutiny by the European Commission and that data will no longer be able to flow freely between the United Kingdom and EU until a formal adequacy decision has been made from the European Commission.
This will have implications for personal data received/processed prior to the withdrawal date and any personal data to be received/processed from the withdrawal date and is something that needs to be anticipated and accommodated in ongoing commercial contracts.
Not only will compliance need to be reviewed at any major Brexit-GDPR development, the costs and practicality of compliance need to be kept under surveillance with steps in place to ensure that no undue cost or burden is unintentionally adopted by an organisation. Care should be taken in relation to service providers and suppliers who deal with personal data as well as any data transfer arrangements that currently operate within your organisation.
Our advice is to ensure that you continue with the establishment of GDPR compliance programs, standards and policies within your organisation with additional thought being given to Brexit clauses in contracts currently under negotiation.