Data protection has been a significant focus point since the May 2018 introduction of the General Data Protection Regulation (the "GDPR"). The uncertainty surrounding Brexit has caused widespread confusion about its effect on GDPR and whether organisations must continue to comply GDPR in the event the UK leaves the EU.
Simply put, organisations will still have to comply with GDPR regardless of Brexit and (you may be unsurprised to hear!) compliance will become more complicated.
WHY WILL GDPR STILL BE WITH US IF WE'RE NO LONGER IN THE EU?
Legally, organisations will still have to comply with GDPR regardless of Brexit because:
- the EU Withdrawal Act will incorporate the GDPR into UK law in the event of Brexit; and
- the Data Protection Act 2018 (the "DPA"), which sits alongside GDPR, explicitly applies and adopts the text of the GDPR, making it part of our domestic law on data protection.
These measures reflect the importance the UK places on minimising barriers to data sharing with the EU as well as the UK's involvement in the original drafting of the GDPR.
DEAL OR NO-DEAL?
Although we know the GDPR will continue to apply, the continuing uncertainty over whether and on what terms the UK will exit the EU means the potential for significant additional confusion and uncertainty as to how it will apply. Here are a few examples of the problems you may face.
- Revising all your data processing contracts: in the event of a no-deal Brexit, the UK will no longer benefit from the current presumption that its legal system provides adequate protection for EU citizens' rights. Existing contracts under which UK organisations process personal data of European customers will be in breach of the GDPR unless other steps are taken - the most practical of which will be to put in place additional, standardised EU data processing clauses. This will result in legal expense and distraction, as well as imposing additional risks and obligations on the contracting parties. The DPA's close alignment with the GDPR should allow the EU to rapidly adopt an "adequacy decision", making it easier for UK companies to process EU citizens' personal data. However, this will not happen immediately, meaning interim contracts incorporating the standard EU data processing clauses will be required.
- Appointing a data processing "representative" within the EU: Even if a "deal" is reached, UK organisations that regularly or systematically process EU citizens' data (for example, selling goods to European consumers or running a website with European registered users) will need to formally appoint a data processing "representative" within the EU and ensure that the representative has access to any records, knowledge and information it needs to deal with EU data protection authorities. In a "no deal" situation, all the necessary preparations will need to be made by the Brexit date.
- Multiple regulators and multiple fines: UK organisations processing EU citizens' data may find that they are subject to regulation by at least one - and possibly more - of the national data protection authorities across Europe, as well as by the UK's Information Commissioner. Organisations processing EU citizens' data will need to review and understand the guidance and the enforcement priorities of their EU regulators - which may of course conflict with one another. This will mean getting legal advice in at least one EU member state, and UK organisations could be exposed to penalties from both the ICO and an EU regulator for the same breach of data protection law.
WHAT SHOULD MY ORGANISATION DO?
In the event of Brexit, if your organisation uses the personal data of EU citizens, whether providing goods and/or services to them directly or under a data processing contract with a European customer, you will need to review your contracts to ensure you and your customers are not inadvertently in breach of data protection law. You will also need to consider where in Europe you are likely to be subject to regulation, appoint and liaise with a formal "representative" and get advice on how local data protection law differs from our own.
PDT's data privacy team can help your organisation identify its data protection risk areas and take steps to reduce the risk of enforcement action and negative publicity. Contact Noel Ruddy or Ian Lindley today to see how we can help you.
Visit PDT Solicitors here