What the draft Brexit agreement means for data protection

GDPR and Brexit During Transition

Share This Post

In case you missed it, the Cabinet in Westminster has “agreed” Theresa May’s draft Brexit Agreement for moving the UK out the EU next year.

Whilst the media continue to dissect the agreement and whether the Cabinet really does “back” the proposals, and discussions continue about the impact it has on the Northern Ireland border, the economy, what it will mean to business, etc… it’s also worth pointing out the the agreement also includes some bits about data protection compliance too, which could have an impact on any UK business who is currently or wishes to, in a post-Brexit world, process EU citizen data.

Remember that the GDPR requires that if you process EU citizen data outside the EU then it must only be done if adequate controls are in place for that processing. Essentially, you have to make sure that where the data is being processed has EU-equivalent data protection and privacy controls. That usually comes down to whether the country where the data is being processed has similar data protection laws approved by the EU or there is some kind of agreement in place (e.g. the EU-US Privacy Shield).

Of course when the UK leaves the EU we will no longer be part of the EU and potentially will be seen as one of these “third-countries” and therefore that has ramifications for UK business that could potentially become similar to any company operating outside the EU processing EU citizen’s data, particularly if they are either targeting EU citizens or if EU businesses are using them to process their data (remembering the wider definition of what processing means).

So, as with every thing else Brexit related it’s important that we understand the implications on our data processing. Essentially, we need to understand, will the UK have equivalent and therefore adequate data protection controls in place (approved by the EU as such) and if not what kind of agreement can be put in place to ensure that we can process EU citizens data going forward.

So, what does the Brexit draft say about data protection. Well it is mentioned, and as the EU very helpfully summarised in their press release yesterday:

Use of data and information exchanged before the end of the transition period

During EU membership of the United Kingdom, private and public bodies in the UK have received personal data from companies and administrations in other Member States.

The Withdrawal Agreement provides that, after the end of the transition period, the UK has to continue applying the EU data protection rules to this “stock of personal data”, until the EU has established, by way of a formal, so-called adequacy decision, that the personal data protection regime of the UK provides data protection safeguards which are “essentially equivalent” to those in the EU.

The formal adequacy decision by the EU has to be preceded by an assessment of the data protection regime applicable in the UK. In the case where the adequacy decision were annulled or repealed, data received will remain subject to the same “essentially equivalent” standard of protection directly under the Agreement.”

What this means in practice is that we’re probably looking at the following regime (all subject to agreement in Parliament and across the EU of course):

  • UK businesses will need to continue to process EU citizen’s data collected or processed before Brexit according to EU standards (currently the GDPR) until a decision is made on the UK’s status with regards to “adequacy”
  • The EU are going to want the UK to prove that going forward it’s data protection laws are adequate (and in line with GDPR), but of course, the Data Protection Act 2018 makes sure that the GDPR is part of UK law once we’ve left
  • There’s still a chance the EU could decide that UK data protection does not have adequate data protection rules and if that is the case then regardless pre-Brexit data will still need to be processed according to the GDPR

That all seems reasonable. Why wouldn’t the EU think the UK’s data protection laws don’t match those the EU – after all the ICO was involved in the discussions and drafting that led to the GDPR, they’re part of the EU group of data regulators (formerly the Article 29 Working Party) and we have the Data Protection Act 2018. Well, let’s hope it is that simple – after all the EU doesn’t quite like some other things the UK has in place regarding data, such as data retention policy.

The draft agreement is of course not the end of the Brexit-debacle nor the debates or rhetoric, so we all need to keep an eye on what Brexit could mean to our EU data processing activities, now, during the transition and after we’ve left (assuming we do of course!).

More To Explore

Eat. Sleep. GDPR. Repeat.

We live and breathe GDPR and ePrivacy compliance, so you don’t have too. Our GDPR UNLIMITED helpline is all about offering you help and support, whenever you need it most. As well as the unlimited helpline, you get up to 4 hours “hands-on” help each month, which we can configure to help you in anyway you need such as a GDPR review, or acting as your DPO.

As well as the unlimited helpline and hands-on help you get GDPR and privacy updates, access to our GDPR knowledge centre and webinars.

Unlimited email & phone support

Unlimited email and phone support. Email or organise a voice call as often as you need each month.​

Up to 4 hours "hands-on" help per month

We use these "hands-on" hours to do the GDPR work for you, such as reviews, acting as your DPO, checking DPIA, dealing with breaches, training your staff, etc. (Additional hours: £100+VAT per hour)

Online resources

Our Knowledge Centre gives you access to information, guidance, topic related guides and other tools to support your GDPR and PECR compliance

Updates, alerts & briefings

We provide updates and alerts and a monthly compliance briefing. You can either sign into the Knowledge Centre or sign up via email to receive an email every time we add a new update or alert

DPO services

Whether mandated or not we can act as your Data Protection Officer (DPO) and manage your day to day compliance

Webinars, workshops & training

Whether updates on the latest issue, workshops or team training, it's all included in your monthly retainer.

LIKE WHAT YOU'RE READING? join our email list

Sign up for monthly briefings and the occasional emails about our webinars and services

Want to know more about how we use your data? Check out our privacy policy