Will GDPR Still Apply to UK Businesses after Brexit?

Whether it takes place in the coming weeks or the process is extended for another few months, the most likely outcome of the Brexit process remains the UK’s departure from the European Union. With the EU creating and shaping the most significant change to data protection law in almost two decades with the creation of the General Data Protection Regulation (GDPR), it’s fair to wonder whether this act will still apply after our departure.

What will a deal with the EU mean for the UK and GDPR?

Nobody can say for sure while the deal is still being worked on, but it is difficult to imagine significant changes to the UK’s data protection regulations being made as part of any deal.

Given that GDPR law currently applies in the UK and will do so until our date of departure, the most likely outcome is that an “adequacy decision” will be made (or may have already been made behind closed doors) regarding the UK’s level of data protection. An adequacy decision made in a country’s favour means that the EU views that country has having an adequate level of data protection, and businesses operating within that country thus do not present a risk to EU consumer data and can be dealt with in the same way as EU countries. The UK would join countries like the USA, New Zealand, Canada, Switzerland and Japan on this list.

The previous government’s position was that a “legally-binding data protection agreement” may be more appropriate than a simple adequacy decision, which would see the UK retaining a seat on the European Data Protection Board, but it is unknown whether this remains a possibility under the new administration.

What will a no-deal Brexit mean for the UK and GDPR?

While a no-deal Brexit would, in theory, allow the UK to create its own divergent set of data protection regulations, the Information Commissioner’s Office states that “if we leave the EU without a deal, most of the data protection rules affecting small to medium-sized businesses will stay the same”, and that “the UK is committed to maintaining the high standards of the GDPR (…) and the government plans to incorporate it into UK law after Brexit.”

Whilst this means in the medium term things will remain the same, the immediate aftermath of a no-deal Brexit would see EU law, including the data protection act, cease to apply overnight. The government’s advice in this situation is to ensure any business’ contracts that involve receiving data from the EU or EEA (the EU plus Iceland, Liechtenstein and Norway) countries “include Standard Contractual Clauses (SCC) or other Alternative Transfer Mechanisms (ATM) to ensure that you can continue to legally receive data from the EU/EEA.” The advice also states businesses “may need to designate a representative in the EEA.”

With regard to sending customer data from the UK to the EU/EEA, the government advises that there is no preparation required and UK businesses will be able to legally send data to the EU, EEA and the thirteen countries who’ve had adequacy decisions made by the EU in their favour.

If your business is part of a multinational with other branches of the business remaining in the EU/EEA, the government advises that you “may be able to rely on binding corporate rules (BCRs)”.

If your business doesn’t share data with businesses in the EEA, you won’t need to do anything. It is always a good idea, however, to remain aware of EU and UK data protection law and any divergences which begin to appear between them. Do this, and should you start to expand your operation to include dealings with EU and EEA countries, you can remain confident of your compliance with all data protection law.

Of course, the easiest and safest way to ensure compliance with any data protection regulations is to get in touch with Datashredders to arrange a one-off or recurring shredding visit. Fill in the form on our contact us page, dial the number at the top of this page or email info@datashredders.co.uk to find out more.