In recent weeks the dynamic shifted from “will Brexit ever happen
” to “best get ready for Brexit
” to “stick it on the agenda for next year” as Brexit was delayed once again. That said, the uncertainty surrounding Brexit and the technical and legal issues that have and will continue to arise when (if?) we enter a post-Brexit world, create a real headache for businesses. Whilst many businesses may take the opportunity to push Brexit preparation into 2020, anticipating how your business is likely to be affected by Brexit – and being ready for it - is not something to be sniffed at.
One of the key areas for most businesses that will be affected by Brexit, is that of its data protection compliance. Since the introduction of the General Data Protection Regulations (“GDPRs”) and the Data Protection Act 2018, data protection compliance should be at the forefront of most businesses minds; it remains high on the agenda in relation to Brexit.
So how will a no-deal Brexit affect your GDPR compliance?
Even though the GDPRs are an EU regulation they will continue to apply post-Brexit because they are already incorporated into the Data Protection Act 2018 which will stay on the statute books. This means that businesses operating within the UK will still be required to comply with GDPRs, and the serious penalties for breaches or non-compliance remain very real. However Brexit does not leave the UK data protection regime unaffected and there are significant changes to consider:
- The role of the UK Information Commissioners Office (“ICO”) - The ICO will not be the regulator for any European-specific activities; a separate additional supervisory authority will need to be appointed for EU activities. If your business operates within Europe and your only supervisory authority is the ICO, you will need to appoint an additional supervisory authority for European activities.
- Data transfers - Brexit will have the effect of making the UK what is known under UK data protection rules as a ‘third country’, therefore the UK will no longer enjoy the free flow of personal data between the UK and other European countries. This means that GDPR transfer rules will apply to any personal data coming from the EEA back into the UK. In practice, where you transfer personal data outside of the UK to a country within the EEA there will be no restriction, but the return of that data to the UK (or where the data relates to EU citizens) will require additional safeguards. The main safeguard considered by the ICO is that of Standard Contractual Clauses. We recommend that you review your current data flows and assess whether you should consider the adoption of Standard Contractual Clauses (such as the EU Model Clauses) as an appropriate way of achieving the necessary safeguards. You may want to consider reviewing contracts you have in place with customers and/or suppliers and ensuring you are aware of what changes (if any) are required.
- Marketing, cookies and electronic communications – The rules around marketing, electronic communication and cookies and the use of personal data for such purposes are currently governed by the Privacy and Electronic Communications Regulations (“PECR”). These rules will continue to apply post Brexit. The EU is currently consulting on the new e-privacy regulation. It is unlikely that this will be implemented before Brexit (but you never know!) in which case it will not form part of UK law in the event of a no deal Brexit. The current PECR will continue to apply in its current form, but please note that the UK may still adopt similar principles as any new e-privacy regulations, if this affects any ‘adequacy decision’ or ways of working within the UK, when working with EU personal Data.
Being aware of the areas of your business which could be affected by a no deal Brexit and the steps required is the best way to prepare. Whilst we are still some way off knowing exactly what changes might be needed, by reviewing your current procedures and contracts will put you in a stronger position for implementing any required changes and reduce the risks to your business. The ICO’s guidance will be a great starting point for all types and sizes of businesses.
Rebecca Leeves is a Senior Associate in DMH Stallard’s Commercial team. Contact her at Rebecca.firstname.lastname@example.org, or call 01273 744246.