At the time of writing this article (22nd December 2020), we’re less than 2 weeks away from the end of the Brexit transition period and whilst it’s being suggested the bulk of any agreement between the UK and EU has been agreed, there are still sticking points which are holding everything up.
This means a number of potential outcomes, come the 1st January 2021 (when the Brexit transition period ends):
- The “sticking” points in the discussions derail the whole Brexit agreement with the EU meaning that we have a “no deal” Brexit
- The “sticking” points are separated from the agreed provisions of the agreement and we get a part-deal Brexit
- The “sticking” points are sorted and a Brexit deal is agreed
The truth of the matter is it is still not clear which one of these outcomes may arrive by the end of the year or indeed the rolling on of extensions, into 2021. We of course, probably all expected there to be clarity by now, particularly as the government has been pushing their “time is running out campaign” telling us to prepare, but with little guidance about what we’re supposed to be preparing for. And even if a no-deal Brexit is averted, it’s still not clear what that means for GDPR compliance.
Post-Brexit and the GDPR issues (for UK businesses)
At the moment, you have little choice than to wait and see or plan ahead, but these are the things you need to consider:
- Even though we will not be part of the EU, the GDPR will still apply in the UK. We will have UK GDPR which will apply alongside the existing Data Protection Act 2018. So, generally speaking, for UK businesses there is no change: if GDPR applies to you now, it will continue to apply to you, post-Brexit transition
- You will have to consider whether your EU customers will expect you to have standard contractual clauses (SCC) in place to deal with the fact that EU to UK data flows will be restricted, in the absence of an adequacy decision. The SCC will be required where you act as a Data Processor for EU Data Controllers (or Processors)
- You may have to appoint (and publish details of) an EU representative if you sell products and services to EEA individuals, or, if you monitor the behaviour of individuals in the EEA – this is likely to be the case whether there’s a Brexit deal or not
- If you operate within the EU but have customers in multiple EU members states, you are unlikely to be able to make use of the regulatory authority “one stop shop” and may have to answer to the ICO in the UK as well as multiple regulatory authorities across the EU – this is likely to be the case whether there’s a Brexit deal or not
GDPR in the UK, post-Brexit transition (for all non-UK (including EEA) businesses)
As well as the above considerations, Brexit introduces an additional consideration for all non-UK businesses: just like UK businesses will have to consider whether they need an EU representative, organisations outside the UK (including EEA countries) will need to appoint a UK representative if they sell products or services to UK individuals or if they monitor the behaviour of UK individuals (so essentially the same EU representative rules, just the other way round).
What’s the EU telling EU businesses?
In terms of guidance, it seems we are expected to plan according to a no-deal Brexit. That certainly seems to be the case for EU businesses who are being advised by the EDPB to prepare before the end of year for a no-deal scenario.
What does this mean in practice for UK organisations?
If you process EU data (whether as a Data Controller or Data Processor) you will need to consider the implications to your EU data processing. In reality this could mean any of the following, if there is no-deal that impacts the UK-EU GDPR relationship:
- You will either need to put the Standard Contract Clauses in place for your EU customers, or expect your EU customers to be asking you to sign the Clauses
- You may need to appoint an EU representative
- You will continue to be answerable to the ICO, but could also be answerable to any of the EU member states regulatory authorities; if you have an establishment within the EEA then you will need to identify if you have any cross-border processing and just who your lead regulatory authority is
Providing cost-effective, simple to understand and practical GDPR and ePrivacy advice and guidance, via my one-stop-shop helpline. I ❤️ GDPR