How will Brexit affect GDPR and Data Protection in the UK?

Why does Brexit affect GDPR?

GDPR, the landmark law that increased the rights of individuals over their own data, was introduced by the EU in 2018 and has been in effect ever since.

As a member of the EU, the UK was able to tailor this legislation to suit its own needs, which resulted in The Data Protection Act. Since 2018, organisations and businesses have had to abide by these regulations, and the UK’s Information Commissioner’s office has overseen its implementation. This includes levying some serious fines to those who have violated the regulations.

As we know, the UK voted to leave the European Union, with the much-delayed official Brexit happening on January 31st 2020. While the terms of a future relationship are still being negotiated, in January 2021 we will also exit the European Single Market and Customs Union.

So where do we stand now in terms of GDPR enforcement, and what is the future for data protection and privacy in the UK?

Are we saying goodbye to GDPR? 🇪🇺

Not so fast. Here’s what we know about the future of GDPR in the UK so far:

The law is changing.

To make some provisions for data protection after Brexit, The Data Protection, Privacy and Electronic Communications (EU Exit) Regulations 2019 were made in February of last year. While these provisions came into force on Brexit day, no actual changes will be made until the end of the transition period (December 31st 2020).

So, the law is changing, but potentially very little. It's expected that a ‘UK GDPR’ (a slightly altered version of the current regulations) will then be introduced in January 2021.

The powers that GDPR vests in the European Commission in relation to data protection for example, will be transferred to either the Secretary of State or the Information Commissioner. To put this into perspective however, the Information Commissioner already has a significant amount of power in the UK.

As a non-EU country, Britain's status is changing.

Brexit will make the UK a non-EU country. This could significantly affect international transfers between the EU and the UK, as data transfers from the EU to the UK will have much stricter rules as determined by GDPR.

The UK will, under these new terms, also have to prove its 'adequacy' to the EU, which means proving that it's a safe place to transfer data. This involves passing the EU’s rigorous testing to ensure the free flow of data can continue between the UK and the EU.

Will the EU grant the UK 'adequacy status'?

The UK government has stressed that: 'There will be no immediate change in the UK's own data protection standards. This is beacuse the Data Protection Act 2018 would remain in place and the EU Withdrawal Act would incorporate the GDPR into UK law to sit alongside it.'

The hope is that these standards will be enough to ensure the EU that the UK is a country with clear and trustworthy data protection measures, but there are outstanding concerns.

For instance, the EU may look into the UK’s crime and national security legislation, and the widely debated remit of the Investigatory Powers Act 2016. This act has been criticised by the European Court of Human Rights for giving too much power to authorities, and infringing on rights of individuals to privacy.

What will organisations need to do to prepare for a no-deal Brexit?

The UK is unlikely to be granted adequacy straight away, and in this scenario, UK organisations and businesses that receive personal data transfers from the EU will need to embed model clauses within their contracts, EC-approved data protection clauses, to ensure they are acting in compliance with Articles 46-49 of GDPR.

Will small businesses be affected?

Every business which takes personal data from EU citizens will need to consider how that data is collected and processed in the event of Brexit talks falling through. For instance, a family-run hotel which processes the personal information of EU citizens would need to make sure that their data handling is in compliance, and extra measures may be needed. Small to medium-sized businesses can find a helpful guide for this on the ICO’s website.

Final thoughts 💭

The Information Commissioner’s office have stated that they believe the UK’s version of GDPR will be adequate, alongside the Data Protection Act of 2018. They've also stated that they'll continue to be the supervisory authority on data protection in the UK, so their guidance should still be followed closely: 'We expect UK data protection law to be aligned with the GDPR, so you should continue to use our existing guidance.' The ICO further recommends that organisations of every size regularly check their 'Data Protection and Brexit' page, which also contains guidance in the event of a no-deal Brexit as well.

From the information we have, there's every reason to believe that the rights of British individuals to data protection and privacy and regulations around the use of personal data will still apply even in the event of a no-deal Brexit. However, without the voice of the European Court of Human Rights and other EU regulatory bodies, the chief concern for individuals would be the future introduction of legislation which limits or infringes upon our data privacy, especially in the area of law enforcement.

If you'd like to find out where your data is, delete it and more, sign up the Rightly platform and start sending requests, for free.

Delete your personal data