Brexit : is the UK leaving the GDPR too ?


On the 15th of January 2019, British parliament has voted massively against the Brexit deal UK Prime minister Theresa May has been negotiating for months now.

This means the “no deal scenario” is getting more relevant than ever.

Apart from all the economic consequences, there will also be a huge impact on the transfer of personal data between the EU and the UK. 

In the event of a no deal Brexit, on 29 March 2019 the EU GDPR (the EU’s General Data Protection Regulation) will be brought into law in the UK through the European Union (Withdrawal) Act 2019. If a withdrawal agreement comes into effect, and with it a transition period, the EU GDPR may also continue to be applicable in the UK as an instrument of EU legislation. 

But on the expiry of any such transition period, or in the event of a no deal Brexit, the country will have its own, standalone regime - rooted in the EU GDPR but capable of modification by future UK governments (the “UK GDPR”).

In this case, the UK becomes a “third country” as described in chapter V of the EU GDPR

That would mean that any transfer of personal data between the EU and the UK must meet one of the legal requirements as set out in the EU GDPR.

On the 13th of December 2018, the UK government already stated that they will grant an adequacy decision to the 27 EU member states in case of a no deal scenario.

This decisions states that: 

  •  the EEA Member States are recognized as “adequate” for the purpose of the UK GDPR (allowing the free flow of personal data from the UK to the EEA)

  • the UK will adopt adequacy decisions to date by the EU, allowing transfers of personal data to continue from the UK to countries such as Guernsey, Israel and US companies which are Privacy Shield signatories

  • they will recognize the EU standard contractual clauses as a valid means of transferring personal data from the UK to international recipients outside of the EEA

However, no indications so far show that the EU will mirror these statements.
In this case, multiple scenarios are possible and these scenarios will determine what companies will need to do to remain compliant:

  1. The EU grants the UK an adequacy decision. Meaning : the EU considers that the UK adequately protects data, so transfer of personal data can be continued without any further protective measures.

    However, the EU already made clear that this is not going to happen in short notice, as they have no guarantees that UK legislation will continue to protect data in the same way Europe does.
    The procedure to grant an adequacy decision could start no sooner than the 29th of March 2019, when the Brexit official is a fact and typically takes several months, if not years.

  2. More likely: No deal and no adequacy decision, so the UK becomes a third country and companies processing personal data from people in Europe, will need to comply to the GDPR on their own.

    • Appoint representatives
      Both the EU GDPR and the UK GDPR will require controllers to appoint representatives as required by Article 3(2) of the EU GDPR. UK GDPR will replicate this requirement.

    • Relations with supervisory authorities
      Organizations that are in scope of both EU GDPR and UK GDPR after the Brexit (regardless of the “deal” or “no deal” scenario) will be under the jurisdiction of at least two supervisory authorities.
      As long as it remains unclear how this will be handled, companies will need to comply with the ICO for the UK part, and choose a lead supervisory authority in the 27 remaining EU countries for any cross-border transactions.

    • Role of the DPO

      Where a DPO has been appointed, organizations should consider whether that DPO can still perform that role under both regimes, given that in the future, that person will need to have suitable expertise in both EU and UK privacy laws.

    • Remain compliant

      On Brexit, a number of steps are important to remain compliant, both for companies in Europe and in the UK :

  • Update your existing policies and procedures like privacy notices, register of processing activities, Binding Corporate Rules etc…

  • Make sure you have appropriate safeguards in place when transferring data to and from the UK

  • For UK companies operating across Europe: review structure, processing operations and data flows to make sure they apply to the changed situation.

  • Review all privacy information and internal documentation to identify and details that will need updating on Brexit

Both the ICO (Information Commissioner’s Office) and the Irish Data Protection Commission have posted guidelines on what British companies should do if that becomes reality on the 29th of March 2019.